LinkedIn’s Smart Links abused in phishing attack targeting Slovakian users

LinkedIn sign in a window

Smart Link, a feature exclusive to LinkedIn’s Sales Navigator and Enterprise users, has been targeted in a recent phishing scam.

A convenience feature, Smart Link enables subscribers to redirect their targeted customers to legitimate websites for advertisements.


TA551/Shathak threat research

A detailed report on the cyber crime group and its attacks


Threat actors have now leveraged the feature to evade email security products, in an attempt to redirect users to phishing pages. The attackers are also banking on Smart Link’s analytics to gauge the effectiveness of their campaigns.

Decoding the attack, threat intelligence provider Cofense revealed the phishing emails can be traced back to Slovenská Pošta, a state-owned postal service provider in Slovakia.

“Although we can see that the recipient has a shipment waiting to be delivered, the order can only be fulfilled with payment. Threat actor even added features to the email, including the fictitious reference number, to give the impression of legitimacy,” explained Cofense.

The email header, part of the attackers’ trickery, appears legitimate to the unsuspecting eye. However, upon close examination, it can be found that the header “sis[.]” is a spoof.

The attack gets further evasive by an embedded “confirm” button leading to a legitimate-looking LinkedIn Smart Link URL that redirects the victim to a phishing page. (“linkedin[.]com/slink?code=g4zmg2B6”)

Despite the realistic €2.99 shipping price on the landing page, the phishing actors aren't looking to receive money, according to Cofense. Target's credit card information, including number, holder's name, expiration date, and CVV are among the details desired by the attackers.

“Due to a threat actor exploiting the official LinkedIn smart link service, the phishing page is still up and running,” added the company.