- Security researchers find phishing emails spoofing LinkedIn notifications
- The emails are distributing the ConnectWise Remote Access Trojan
- There are multiple red flags, including fake companies, fake images, and more
Cybercriminals are spoofing LinkedIn notification emails to deliver the ConnectWise Remote Access Trojan (RAT) malwareexperts have warned.
A new report from cybersecurity researchers Cofense Intelligence notes the phishing campaign likely started in May 2024 with an email mimicking a notification LinkedIn would send to a person when they receive an InMail message. The business platform does not allow people who are not connected to exchange messages, unless the sender is a Premium (paying) member. Then, they can use a service called InMail to reach out to people with whom they are not connected.
Receiving such a message would trigger an email notification from LinkedIn, which is what the attackers are spoofing here.
Bypassing email filters
There are multiple red flags in the email. First, the template used has been phased out by LinkedIn almost five years ago. Then, the supposed project manager/sales director sending the message does not exist, and the attached photo is labeled “executive16.png”. The profile picture used in the email belongs to the President of the Korean Society of Civil Engineering Law, a person called Cho So-young.
Finally, the company for whom the sender allegedly works is called “DONGJIN Weidmüller Korea Ind” and it, too, does not exist.
The email comes with one of two buttons: “Read More” and “Reply To”. Both trigger the download of ConnectWise, a remote administration tool that was originally part of ConnectWise ScreenConnect, a legitimate remote desktop software used for IT support and management. However, cybercriminals have hijacked it and abuse it as a Remote Access Trojan (RAT) to gain unauthorized control over systems.
The email made it past security filters primarily because of how email authentication settings were configured on the recipient’s system, the researchers added.
Even though the email failed SPF (Sender Policy Framework) and wasn’t signed with DKIM (DomainKeys Identified Mail), it still wasn’t outright rejected by the system. This happened because the email security policy, specifically DMARC (Domain-based Message Authentication, Reporting, and Conformance), was set to “oreject” instead of fully rejecting suspicious emails.
This setting likely allowed the email to be marked as spam but still land in the recipient’s inbox.