The Fake Recruiter on LinkedIn Who Was Phishing Credentials

Background

Multiple employees at a tech company received LinkedIn messages from a "recruiter" offering lucrative job opportunities. The recruiter's profile appeared legitimate, with 500+ connections and endorsements. The link in the messages directed to a credential harvesting page.

Investigation Methodology

1. Profile Authenticity Analysis: The recruiter's LinkedIn profile was deconstructed — creation date, connection acquisition rate, endorsement patterns, and profile photo were all analyzed.
2. Infrastructure Mapping: The phishing URL was traced through DNS records, hosting providers, and SSL certificate registrations.
3. Victim Impact Assessment: We determined which employees had clicked the link and potentially submitted credentials.

Key Findings

• The recruiter profile was created 6 weeks prior and acquired 500+ connections through mass connection requests — averaging 12 new connections per day.
• The profile photo was stolen from a real recruiter at a legitimate firm.
• The phishing infrastructure was linked to a known APT group targeting the tech sector for intellectual property theft.
• 3 employees had submitted credentials through the fake page.

Outcome

The 3 compromised accounts were immediately secured with password resets and MFA enforcement. The phishing infrastructure was reported and taken down. LinkedIn removed the fake profile. Total investigation time: 48 hours.