Beware: Fake LinkedIn Emails Spreading Malware Disguised as Notifications

Cybercriminals are exploiting LinkedIn’s notification system to distribute malware through phishing emails, security researchers at Cofense Intelligence have revealed. The campaign, which began in May 2024, mimics LinkedIn’s InMail notifications—a feature that allows Premium members to message users outside their network. The fraudulent emails, designed to look like legitimate LinkedIn alerts, contain buttons labeled “Read More” or “Reply To,” which trigger the download of the ConnectWise Remote Access Trojan (RAT). This malware, originally a legitimate remote administration tool, is now being abused to gain unauthorized control over victims’ systems. The phishing emails are riddled with red flags, including outdated LinkedIn templates, fake sender profiles, and non-existent companies.

For instance, the sender’s profile picture is stolen from the President of the Korean Society of Civil Engineering Law, and the supposed employer, “DONGJIN Weidmüller Korea Ind,” is entirely fabricated. Despite these inconsistencies, the emails bypassed security filters due to misconfigured email authentication settings. Although the messages failed SPF (Sender Policy Framework) and lacked DKIM (DomainKeys Identified Mail) signatures, they were only marked as spam rather than rejected outright, allowing them to reach inboxes. To protect against such attacks, users are advised to scrutinize unexpected LinkedIn notifications, especially those from unknown senders.

Avoid clicking on suspicious links or buttons, and verify the authenticity of emails by checking for inconsistencies in sender details or company names. Cybersecurity experts also recommend ensuring that email security policies, such as DMARC, are set to fully reject suspicious emails rather than allowing them to land in spam folders. As phishing tactics grow more sophisticated, vigilance and robust email security measures are essential to safeguarding personal and professional data.
Source