A Targeted (?) Phish from a LinkedIn Connection

This morning while I was on the Exercise Bike at the UAB Rec Center I got a LinkedIn message from a colleague I haven't spoken to in a couple years.

That was actually the SECOND funny thing about my LinkedIn profile this morning.  The first one was that, since I'm a Premium Member, I get notified when people check out my Profile there.  I had one unusual visitor:

彭家’s Profile

Peng Jia has a TOTALLY BLANK LinkedIn profile.   linkedin.com/in/家-彭-334485167

I sent John a text message on his phone, but followed up, knowing I was likely talking to a scammer, with a LinkedIn Reply:

Well, since it was "really" from John, I finished my 10 miles on the bike, showered, ran back to my office and fired up a VM to visit his link:

Gee, what was I worried about?  It's totally from John!  It says right there!

Of course, some might find it odd that the "View Message Folder" link takes me to the URL 
" eone [.] ga /mm/business/proposal/afzz "

Now this is where "Targeting" comes in ... Take a look at this Phishing website and try to think what industry might be targeted by this LinkedIn-propagated phishing campaign?  

Hmmmm... AstraZeneca,  Proctor & Gamble, Boston Scientific (who makes Medical Devices)  and GE (who has a GE HealthCare line that makes many medical devices), Nationwide Insurance (who offers Health insurance plans)?  Looks like they are targeting the HealthCare sector.  But Pandora? (Update: I'm told that Pandora is the name of a system from Omnicell.com that is used for doing data analytics to detect diverted pharmaceutical products.  I don't think this is their logo, but it is likely that the Pandora reference is to that.)

At first I was confused why a phish possibly targeting HealthCare would be coming after me, but then I realized ... I'M EMPLOYED BY UAB -- The University of Alabama at Birmingham -- one of the largest and best funded research hospitals in America!  Any chance that I'm getting LinkedIn spam because - to a casual observer - I'm a HOSPITAL employee?  And then having this tagged up with at least three health care logos?  Ok, so what happens next?

Well, then they steal your email and password ... 

	Gmail was the only one that had a second page ... if you entered Gmail it then wanted your phone number too.

We grabbed the phishing kit, because that's what we do, and took a browse around.

All of the individual files have the same "Action" -- which is to call Finish . php

Finish is where the entered information gets mixed with environmental variables from your machine and all of the details get emailed to the criminal.

The last piece is that the email address is referred to by a variable name that isn't in this PHP file:

If you scroll back to the top of "Finish . PHP" you'll find what you need there:

The top line shows which additional files should be loaded by the phish.  "CONTROLS" is the one we want, which is where we find the criminal's email address:  madiba23101@gmail.com 

It would make a great example for my students if anyone in Law Enforcement cared about this ... but sadly, the only people who care are the LinkedIn Security Team, who had this account down so fast that by the time I responded with "So shall I call you Madiba?" my friend John's account had already been secured and gave me an error message.

A couple last funny notes ... the kit contains a file called "Netcraft_check.php" that checks to see if the user agent is "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)") and refuses to load the page if it is.  Might want to update that user agent, Netcraft hunters.

There is also a file "visitor_log.php" that gives away the fact that all of the visitors to this phish have their IP address, timestamp, and browser agent shared.   because of this, we can tell that a bunch of people visited the phish from LinkedIn, becasue it adds "Mobile/15E148 [LinkedInApp]" to the end of the browser agent string.  As of this writing, only 127 unique visitors have been to the phish.  41 of them were browsing the phish from within the LinkedIn application on a Mobile Device.

Unfortunately for the Phisher, the poor fool put his phishing site behind CloudFlare, so the referring IP addresses are NOT the victim's IP address, they are all CloudFlare IPs.  Oh well.  Nice Try, Mister Phisher.  (we'll shoot this to CloudFlare to terminate your hosting as well.)