LinkedIn phishing continues to remain a favorite attack vector by threat actors. Sales solicitations are seen in such abundance on the LinkedIn platform that many users may be in the habit of clicking these notifications poste-haste while weeding out the noise.

This example claimed to be a message reminder for “2 new messages” from salesperson for Janssen Pharmaceuticals, a Johnson & Johnson company. However, the from address displayed the domain of 51jobo.]com, a recruitment website in China with the message originating from servers located in Moldova.

The payload link leads to a generic phishing kit located at youdontcareu.]com. It will pre-fill the recipients email address and domain name into the site based upon a string in the URL, we used someone@somewhere.com for the image example below for illustrative purposes.