Hackers are sending fake LinkedIn message alerts notifying users about purported job opportunities, but those who click are redirected to a malicious login page designed to steal their credentials.

Hackers are sending fake emails that appear to come directly from LinkedIn, notifying users they have a new message waiting – but anyone who clicks through is routed to a malicious login page designed to steal their credentials.

The entire phishing email message appears convincingly similar to the real thing, according to a new research blog published Monday by Cofense.

“The font, logo, and formatting closely match those of real LinkedIn notification emails. Even the subject line, though simple, imitates LinkedIn’s style,” says Enrico Silverio, threat researcher at the Cofense Phishing Defense Center.

Sporting a spoofed display name, the authentic-looking email appears to come from a headhunter at a reputable company and prompts the recipient to “contact them urgently” to discuss a potential business opportunity.

The phishing emails observed in the samples are written in Chinese and were translated by Cofense.

Silverio reminds users that the so-called “job opportunity” is a classic social engineering “hook” designed to manipulate the victim using “emotional triggers” such as, in this case, a sense of urgency.

If the user clicks the button to contact the alleged recruiter, they are immediately redirected to a malicious, spoofed LinkedIn page.

Often, hackers will mimic the legitimate websites of well-known businesses or brands, copying the smallest details, which trick victims into a false sense of security, Silverio says.

In the cases observed by Cofense, the website URL reads “inedin[.]digital” – chosen by the threat actors, so at a quick glance, it visually resembles the LinkedIn domain. Similarly, the sender’s address – “khanieteam[.]com” – is also fraudulent and is not associated at all with LinkedIn.

Some of the sites were created just a few months before the analysis, and the sender's email address was created only a few days prior, the research found.

Attackers keep sharpening phishing tactics

Silverio says this latest campaign is a reminder that threat actors are continuously evolving “in both technical sophistication and persistence by crafting highly convincing schemes to exploit human trust and curiosity.”

“Remaining vigilant, verifying sources, and thinking twice before clicking are essential steps in defending ourselves against increasingly creative cyberattacks,” he says.

The research provides additional details, including the email IOCs (indicators of compromise), a list of observed IP addresses used in the scam, plus the payload URL and IP address used by the threat actor.

The company has previously warned that, in addition to using AI toolkits that can create super-realistic phishing brand pages and automate campaigns, users should know that attackers are increasingly scraping public data from the web to target users more precisely.

These highly personalized phishing campaigns are also faster and cheaper to deploy, the company says.

In December, the Cofense team said they noted examples in which attackers “pulled individuals’ home addresses, generated Google Maps screenshots, and inserted them into extortion emails to increase credibility.”

---

Unlock more exclusive Cybernews content on YouTube.