LinkedIn fixes phishing flaw

Kaspersky researcher Ido Naor reports that LinkedIn has now fixed a vulnerability originally identified last November that enabled “attackers to efficiently execute spear phishing campaigns, steal credentials and potentially gain remote control over selected victims without needing to resort to social engineering.”

The flaw in LinkedIn’s notification system meant that malicious code could have been sent to users in notification emails informing them that other users had commented on their posts.

“Injecting a malicious comment into a user’s post thread will automatically launch a notification to his email account, regardless of the email provider or connection hierarchy between the victim and the attacker,” Naor explained.

“In the worst case scenario, if an email provider fails to properly escape the content of an incoming email, the attacker can leverage the issue to execute a malicious JavaScript injection attack, also known as Stored XSS.

“Another scenario might involve using an associated HTML form to collect information about the victim or redirect the victim to a site where a malicious executable can be downloaded.”

Phishing attacks

Every day, 156 million phishing emails are sent, 15.6 million make it through spam filters, 8 million are opened, 800,000 recipients click on the links, and 80,000 of them unwittingly hand over their information to criminals.

IT Governance has produced a handy infographic to illustrate the threat that phishing poses to organisations. Click here >>

Phishing staff awareness

If you’re concerned about your staff’s susceptibility to phishing attacks, you may be interested in:

IT Governance’s Cyber Security and Phishing Staff Awareness Course will enable you and your team to understand how cyber criminals operate, how they plan and execute their phishing campaigns, and how to spot and avoid phishing tactics.

Our Employee Phishing Vulnerability Assessment will identify potential vulnerabilities among your employees and provide recommendations to improve your security, giving you a broad understanding of how you are at risk and what you need to do to address these risks.