US-based business and employment service company LinkedIn has taken the top spot as the brand most impersonated by threat operators in phishing attacks.

The news comes as part of warning from cybersecurity researchers to users who state that on a global scale, phishing attacks spoofing LinkedIn now account for over 50% of all such insidious attempts.

A spike in spoofing using the LinkedIn brand

Recent data released by cybersecurity experts at CheckPoint has revealed a dramatic upswing in brand abuse phishing attacks using LinkedIn in to lure victims in Q1 of 2022. According to its researchers, in the final quarter of 2021, the brand was located in fifth position on a list of companies used in attacks. This effectively means that in just three months, the number of recorded attacks using the LinkedIn brand has rocketed from around 8% to 52%.

Germany-based delivery specialist DHL, which previously held the top spot on the list, has dropped to become the second most impersonated brand. DHL became the most mimicked brand in the last quarter of 2021, due to the increase in shopping and subsequent deliveries over the holiday period, with attackers keen to capitalise on the situation.

Shipping-related malicious messages of logistics companies DHL, Maersk, AliExpress and FedEx combined accounted for 21.8% in the first quarter of 2022, but this percentage is still less than half the number of attacks using LinkedIn alone.

Business branding exploited by attackers

In an impersonation sample provided by Check Point, a phishing email that managed to bypass security filters and reach a target inbox included LinkedIn branding. A company style specific to LinkedIn was used, along with its dedicated logo. The body copy of the phishing email included a bogus request for the recipient to contact a fake firm.

If the phishing target clicked an embedded button marked ‘accept’, they would be taken directly to a malicious phishing site designed to look identical to the login page for LinkedIn. The bogus website was being hosted at carriermasr.com/public/linkedin.com/linkedin.com/login.php, which was an unofficial URL.

What is causing the rise in LinkedIn-related attacks?

Phishing attacks on social media are now rising, a trend also recently noted by cybersecurity company, Vade. The takeover of user accounts on such platforms typically opens up an array of practical possibilities for malicious actors, making them a valuable target.

For instance, the threat actors may abuse compromised accounts to post links to sites hosting malware, directly send spyware to colleagues and contacts who trust them, and carry out spear-phishing attacks.

LinkedIn is a professional-focused platform, so threat actors using its branding are likely aiming to conduct spear-phishing attacks on targets of interest such as employees of particular companies and organisations.

Using the LinkedIn brand opens many opportunities to fool victims. Messages sent can include documents loaded with malware as attachments that pretend to be job offers or application forms to complete. If the files are opened, the malicious macros are activated and user devices and the networks they are connected to can become infected.