Researchers discovered a new LinkedIn phishing campaign that targeted approximately 700 users through Google Workspace by hosting the phishing page on Google Forms.
The phishing email itself prompted users to verify their LinkedIn accounts with the subject line including the potential victim’s name as well to make it look more authentic:
There were 3 different hyperlinks in the email but all of them eventually redirected the victim to the phishing page. Furthermore, the sender’s email address as shown above appears to be from Paul University which is based in Nigeria.
This hasn’t been spoofed but it is a real email address of the university which the attackers seem to have taken control of helping them bypass email “authentication checks like SPF, DKIM, and DMARC.”
Even if they did take control of it, users should know that no one except LinkedIn would be asking them to verify their account in such a situation and even if LinkedIn did, they would not do so through a Google forms page. Yet, lack of awareness in such cases victimizes many.
The form page on the other hand also bypassed email security checks since Google Forms itself is not a malicious site. It asked users for their username and passwords which would then be sent in plain text to the attackers. This is similar to previous malware campaigns that we have covered where attackers used the cover of legitimate services to evade built-in security checks.