SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
cybercriminals using Linktree to steal credentials
Wed, 26th Apr 2023

Avanan, a Check Point company, has observed cybercriminals using Linktree, a social media reference landing page to direct victims to give up their credentials. 

Linktree is a popular and easy way to host bio pages on Instagram and TikTok and other social media platforms.

It’s a simple way to have one link that showcases your bio, social media handles and any other information. In just a few minutes, and with no coding knowledge required, anybody can direct their followers to key information. 

According to Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, hackers are now using it to direct victims to give up their credentials. 

"In these attacks, hackers are creating legitimate Linktree pages to host malicious URLs to harvest credentials," he says.

In one attack example. end-users get an email with a spoofed Microsoft OneDrive or SharePoint notification that a file has been shared with them, instructing them to open the file. 

The URL in the email redirects victims to the Linktree page. Here the hacker has built a simple button that redirects them to the third and final page.

Finally, the user is redirected to a fake Office 365 login page, where they are asked to enter their credentials. 

Of course, that's where those credentials will be promptly stolen.  

"This email does a pretty good job of spoofing a Microsoft OneDrive or SharePoint document share page, although it’s not legitimate," Fuchs says.

"Leveraging legitimate websites to host malicious content is a surefire way to get into the inbox," he says.

"Most security services will look at the link–in this case Linktree–and see that it’s legitimate and accept the message. That’s because it is legitimate.

"Email security services can look for other clues, such as context and sender address. But in general, that only tells part of the story, especially when the link is clean. 

"That means emulating the page behind the URL is so important. That helps indicate that the final page is malicious."

Fuchs says it’s also incumbent upon users to do some digging. 

"They should think–why would this person send me a document via Linktree? Most likely, that wouldn’t be the case. That’s all a part of security awareness–understanding if an email or process seems logical," he says.

"Hackers, of course, are betting that users won’t take those extra steps. Many won’t. Users will see a document that’s intended for them and go through the process to open it, even if it means forgetting good security practices.

"It takes just one rushed moment, a few misplaced keystrokes to bring tremendous damage into an organisation. That opening is all the hacker needs."

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check sender address before replying to an email 
  • Stop and think if the medium being used to deliver a file is typical 
  • When logging into a page, double-check the URL to see if it’s Microsoft or another legitimate site