LinkedIn Accounts Under Attack

In recent weeks, the Cyberint research team has observed an alarming emerging trend – an ongoing and successful hacking campaign is targeting LinkedIn accounts, all following a consistent method. This campaign is currently affecting individuals worldwide, resulting in a significant number of victims losing access to their accounts. Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts. While LinkedIn has not yet issued an official announcement, it appears that their support response time has lengthened, with reports of a high volume of support requests. 

Many individuals are reaching out to LinkedIn, sharing instances of hacked profiles, and seeking help across different social media platforms. 

The Cyberint research team was able to reveal a notable increase not just in conversations about hacked accounts on social media but also in the frequency of searches for LinkedIn support and advice regarding the recommended actions when an account is compromised. 

Our analysis using Google Trends reveals a significant surge in the past 90 days in the volume of Google searches related to the hacked account campaign. Search queries such as “LinkedIn account hacked” or “LinkedIn account recovery” have experienced a substantial upward trend, as depicted in Figure 2, while the term “breakout” in place of percentage indicates that the search term grew by over 5000%. 

Attack Method  

 The attack method employed in these instances remains consistent. There are two distinct scenarios: 

1. Temporary Account Lock: Victims whose LinkedIn profiles are temporarily locked receive an official email from LinkedIn (figure 5) notifying them of the security measure. In these cases, the accounts themselves are not compromised; however, suspicious activity or hacking attempts prompted the temporary lock. In this case, the threat actors possibly attempted to breach accounts with two-factor authentication or tried brute force attacks on passwords, leading LinkedIn to block these attempts. Affected users are requested to verify their accounts, update their passwords, and regain access. 

Full Account Compromise: In more unfortunate situations, victims’ LinkedIn accounts are fully hacked, making them unable to recover their accounts independently. The threat actors’ tactic follows a specific process to ensure account restoration is impossible in these instances. They first gain access to the account and alter the account’s associated email address to another email address, often using possibly generated addresses using the mail system of rambler.ru. Then, the threat actors change the account password. By changing the email address, threat actors effectively prevent the victim’s ability to restore their account via email, thereby leaving the account irrecoverable. Some victims have received ransom messages (typically requesting a few tens of dollars) to regain access, while others have witnessed their accounts being deleted outright.

Impact of the LinkedIn Accounts Attack 

 Given the remarkable increase in hacked accounts and the consistent modus operandi, it is evident that a comprehensive campaign is underway targeting LinkedIn accounts. While the motive behind this campaign remains unclear, the implications of compromised professional LinkedIn accounts are deeply concerning. Threat actors could exploit compromised profiles for social engineering, manipulating others into engaging in harmful activities under the disguise of a trusted colleague or supervisor. Furthermore, instances of blackmail have surfaced, wherein victims are forced to pay for the threat actors’ financial gain. Moreover, valuable information exchanged in LinkedIn conversations between colleagues could be leveraged by threat actors for data gathering. Additionally, reputational damage is serious, as users often rely on LinkedIn to showcase their accomplishments, publish content, and bolster their professional image. Hacked accounts could be used to spread malicious content, erase years of contributions, or send damaging messages to connections, severely damaging an individual’s reputation. Users’ substantial efforts in building connections, followers, and reputations over time could be destroyed in seconds. 

Campaign Motive  

 Although the specific intentions of the threat actors are uncertain yet, whether they are financial, phishing, or internal information acquisition, the potential impact on victims is serious. While a complete picture is still emerging, there are a few potential methods by which the threat actors might have first gained access to the mentioned. 

LinkedIn accounts. One possibility is that they have obtained data from an exclusive LinkedIn breach and are leveraging it to breach accounts that lack two-step verification. Another method could involve the use of brute force tools to penetrate the accounts, particularly those with shorter passwords. 

What Can You Do 

 So, what can you do to safeguard your account? 

1. Check Account Access: We strongly advise you to log into your account and confirm your continued access promptly. Also, make sure all your contact information is genuine and is yours. If you find yourself locked out and unable to recover using your email, reach out to LinkedIn support immediately. 
2. Check if your email: Verify your email inbox for any messages from LinkedIn indicating the addition of an extra email to your account. If you didn’t initiate this action and find such an email, consider it a significant warning sign. Ensure that you can still log in to your account, change your password, and remove the added email address from your contact details. 
3. Password Security: Employ a strong and lengthy password unique to your LinkedIn account, avoiding password reuse across platforms. 
4. Two-Step Verification: Enabling the two-step verification feature for your LinkedIn account is highly recommended. This measure enhances security for LinkedIn and all platforms offering this option. 

Cyberint and the Dark Web

Cyberint excels in accessing high-tier sources that remain elusive to most companies. Our unique ability to penetrate these hidden corners enables us to collect and analyze invaluable data. We enrich our automated collection with a human approach, through research and analysis of our military-grade expert team.

Find new sources in deep and dark web marketplaces, forums, and sites, even if those sources are volatile and difficult to track. Get deep analysis and reports, that allow you to understand a specific threat actor and group profiling, including the places of operation, targeted countries or verticals, TTPs and more. Get a demo and see what assets you have exposed on the deep & dark web.