Executive Impersonated in LinkedIn Overdue Payment Request
To complete this attack, cybercriminals first set up a LinkedIn lookalike domain titled receivables-linkedin.com, designed to appear as though it is a legitimate business entity of the LinkedIn website. The attacker also set up an email address of firstname.lastname@example.org—likely using the term 'exec' to add legitimacy to the username.
Once the infrastructure is complete, the attacker then sends an email with a LinkedIn invoice that asks for an overdue payment. The attacker then appears to forward that email alongside a note from the impersonated executive, requesting that the target pay the LinkedIn invoice today. In this email, the attacker uses display name deception and relies on the urgency induced by an executive message to set up the payment.
Why It Bypassed Traditional Security
In this case, both domains are valid emails from valid endpoints. Neither email—either the original LinkedIn impersonation or the executive approval—has a malicious payload in the form of links or attachments, which means that traditional threat intelligence-based tools have no indications of compromise. And because this email is really a two-step attack that relies on both brand name recognition and executive urgency, the target is more likely to fall for it.
Detecting the Attack
Content analysis is required to detect the presence of invoice-related requests, which can indicate when an email should undergo additional scrutiny. Integration with the Microsoft API allows an email security solution to use ActiveDirectory to process the organizational chart and understand VIP email addresses—both professional and personal—to know when an executive is being impersonated. And additional insight into the domains included, such as age and lookalike analysis, can help detect this attack.
Risk to Organization
Should this executive impersonation attack succeed, the target would pay the LinkedIn invoice amount to the attacker, costing hundreds or potentially thousands of dollars.