LinkedIn users are being targeted in an ongoing account hijacking campaign, are getting locked out of their accounts; the hacked accounts are held for ransom.
Users discussing their compromised LinkedIn accounts. (Source: Cyberint)
The LinkedIn account hijacking campaign
The Cyberint research team has recently noticed a significant increase in online conversations on various social media outlets about LinkedIn accounts getting hijacked. Google Trends shows search queries such as “LinkedIn account hacked 2023” or “LinkedIn account recovery appeal” exploding – they grew by over 5000%.
The researchers posit that the attackers are either attempting to brute-force accounts’ passwords or are possibly using login credentials stolen in a previous, unknown LinkedIn data breach.
In cases where they successfully access the targeted account, they alter the account’s associated email address to an email address opened with Russian web service rambler.ru and the account password.
“By changing the email address, threat actors effectively prevent the victim’s ability to restore their account via email, thereby leaving the account irrecoverable,” explained Coral Tayar, security researcher at Cyberint.
“Some victims have received ransom messages (typically requesting a few tens of dollars) to regain access, while others have witnessed their accounts being deleted outright.”
But it’s also possible that the attackers plan to use these stolen accounts for social engineering attacks or to collect sensitive data from LinkedIn conversations (to sell or to blackmail users).
“Hacked accounts could be used to spread malicious content, erase years of contributions, or send damaging messages to connections, severely damaging an individual’s reputation. Users’ substantial efforts in building connections, followers, and reputations over time could be destroyed in seconds,” Tayar added.
Owners of accounts protected with two-factor authentication, on the other hand, are only temporarily locked out of their account: the many repeated failed login requests trigger LinkedIn’s defenses, and LinkedIn sends them an email notification telling them to reset their password and to choose a strong one, so they can regain access to their account.
What should users do?
Even though users have been reporting the issue to LinkedIn support, judging by the social media posts the company has not been very helpful.
LinkedIn’s Help page currently sports a banner saying: “Due to high support volume, it may take longer than usual to hear back from our Support Agents.”
Users are advised to make sure that their LinkedIn password is unique, strong (random) enough to withstand brute-force and dictionary attacks, and to enable two-factor authentication.
“Verify your email inbox for any messages from LinkedIn indicating the addition of an extra email to your account. If you didn’t initiate this action and find such an email, consider it a significant warning sign. Ensure that you can still log in to your account, change your password, and remove the added email address from your contact details,” Tayar also advised.
“We strongly advise you to log into your account and confirm your continued access promptly. Also, make sure all your contact information is genuine and is yours.”