35

I was sent this kind of link from presumably compromised Skype account, via a skype message (do not click unless you have a sandbox or something to protect you):

https://www.linkedin.com/slink?code=e4ig_yU#56287=myskypeusername

Where the myskypeusername is, well yes, my skype user name.

Clicking that, the URL would take you through a series of redirects and finally to a page selling some "miracle Brain IQ pills" claiming to boost, double, whatever one's mental capabilities... so clearly SPAM.

Does anyone know what the /slink... etc. URLs are used by LinkedIn? Google brought up nothing, except a few other cases where LinkedIn has been used to redirect users to SPAM.

I contacted LinkedIn about this and their "Safety support specialist" basically said they cannot do anything about it given it's not a message sent by linkedin user... go figure.

UPDATE: After I reiterated the problem to LinkedIn support, I got back the following:

Thank you for your response. We will look into this issue further and take necessary action based on our results. Thanks for your assistance in keeping LinkedIn a professional and trustworthy site.

Hopefully that's more than just words; we'll see I guess.

Anders
  • 64,406
  • 24
  • 178
  • 215
Petri
  • 451
  • 1
  • 4
  • 6
  • 1
    Linkedin support thread isn't any help either: https://www.linkedin.com/help/linkedin/forum/question/353714 – hd. May 06 '16 at 16:11
  • 4
    Seems like the /slink part is used for linkedin internal url directs and https://www.linkedin.com/slink?code=e4ig_yU redirects to some page which now 301 redirects you spam. Also the stuff after the # is probably ignored by the server and is there so you will click on it as its got your skype username in it. – rtn May 06 '16 at 16:27
  • 4
    Looks like either an open redirect vulnerability (but with the target URL stored in the Linkedin DB rather then in the URL itself) or an XSS vulnerability on the Linkedin page. – André Borie May 19 '16 at 23:14
  • I first suspected that the Skype name was there so that they could keep track of who clicks the link through the referer header, but since its over HTTPS I don't think it will be set? – Anders May 20 '16 at 07:54
  • @Anders – I'm guessing the extras are all passed to the redirection target, so they'll be able to track you just fine. It's also possible that the data is used by some internal LinkedIn tracker related to further stats akin to [bitly's metrics](https://bitly.com/pages/tour#tour-measure). – Adam Katz May 24 '16 at 00:24
  • any PoC that shows how to 'inject' a share (URL) in Linkedin DB, otherwise how the spammer could save a link and have the code for that link ? – elsadek Oct 27 '16 at 16:46
  • 1
    Still valid in 2020: My mother in law just got a fake amazon.de mail with such a link (moved to spam folder and than asked me :-) – HolgerJeromin Aug 05 '20 at 18:14
  • I've gotten three spams in the last week with these URLs. SpamCop won't send reports: `ISP does not wish to receive reports regarding https://www.linkedin.com/slink?code=gE-6Hdh - no date available https://www.linkedin.com/slink?code=gE-6Hdh has been appealed previously.` – Fuhrmanator Nov 25 '20 at 13:55
  • I just got a phising email with a linkedin.com/slink link. I wrote to abuse@linkedin.com. got a reply (seems to be from a human) that they will deactivate the link and will review the associated accounts. I suggest you do the same. If they get enough emails hopefully they will put some protection measures on this service. – Lesmana Feb 08 '21 at 23:15

3 Answers3

18

So I just stumbled upon this today and got a similar message:

https://www.linkedin.com/slink?code=eiurEkp?61778=myname

First I tried the first part: https://www.linkedin.com/slink?code=eiurEkp

This ends here: http://281-inteligen.thiscontentedmotion.com/de/ihel/inteligen/ - a scammy article about somebody saying that someone said that this pill will just change the whole world...... But well, it looks like a normal news-paper website and the source-code actually looks semantically clean.

So if linkedin might check the destination's source-code it would be okay in this case and to this point.

But when entering: https://www.linkedin.com/slink?code=eiurEkp?61778 (with the second search-param) - it seems by reading over there obfuscated JavaScripts, that they check for search/hash-params in the URL and redirect properly if found.

And this is probably not being checked by the linkedin-team. I mean how should they? This is hard because it is happening in an obfuscated JS. If they have some automated slink-checker they are scanning the code but likely don't execute the scripts.

Long story short: The slink?code=####### part redirects to a shared link from linkedin and appends any given hash or search parameter to this redirect. On the redirected destination this is then checked and used for a further redirect.

Sebastian G. Marinescu
  • 281
  • 1
  • 6
6

Well, just by testing /slink?code=0 (a 404 error) and /slink?code=1 (LinkedIn Business Marketing Solutions), I'm guessing it's reserved for customers of LinkedIn Business Solutions.

That said, I don't think it's that frequently used. I don't see much email traffic using it (I see more traffic using Hashcash, which is extraordinarily obscure.) This type of link represents 0.03% of the email traffic linking to the www.linkedin.com CDN. This redirector is so infrequently used that I cannot determine how spammy it is.

To answer the question of how spammers are abusing this: Presumably, a spammer registers a phony account at LinkedIn and then uses this redirection service just like any other. It's a bit risky since LinkedIn is no stranger to resolving abuse (e.g. they're a key backer of DMARC) and there are so many other redirection services out there, but perhaps there's some illusion of legitimacy to using this instead.

A direct posing of this question to LinkedIn resulted in Franck Martin (one of their key DMARC advocates) saying:

This email was not sent by Linkedin.
Linkedin uses several lists to ensure the redirection does not end up to a known bad site. In all cases, please report it to abuse [at] linkedin (as well as the major URL anti-phishing lists) and we will take the appropriate actions.

(As noted in this thread on the SpamAssassin Users mailing list.)

Note that just because the specific sample that Franck saw wasn't sent by LinkedIn doesn't mean that there isn't any abuse of this shortener, but I do trust that they police it well. There's merely little they can do to control the emails they're not in control of (unless the email forges sending from @linkedin.com because it is protected by a DMARC p=reject policy. This policy instructs recipients to reject policy violations).

If you report the message to them, they should at least be able to break the redirector, which is the case for this link (as noted in another answer to this question). If their infrastructure did send the mail, they can chase it down further and take action against the customer.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
  • 1
    It seems you incorrectly assume in your answer that I received the spam link via email. – Petri May 24 '16 at 09:53
  • You are correct, I had not realized this was [spim](https://en.wikipedia.org/wiki/Messaging_spam). Ignore the DMARC parts then. LinkedIn obviously had nothing to do with the IM. They accepted your report, reviewed it, and nuked the redirection mapping. – Adam Katz May 24 '16 at 15:47
  • hey @AdamKatz could you please say which tools you use for mail traffic monitoring or maybe recommend some? – MikZuit Sep 22 '20 at 00:27
  • 1
    @MikZuit – Sorry, I didn't use OSINT. That tooling is not publicly available. It samples across roughly ⅓-½ of global enterprise email traffic. The percent has gone up from 0.03% in 2016 to 0.11% in 2020 using a sample averaged over the last 6mo. There was a spike from late June through late August 2020; averaging across 2y, it's back to the original 0.03%. – Adam Katz Sep 22 '20 at 15:23
  • @AdamKatz very helpful, thanks – MikZuit Sep 22 '20 at 18:10
2

It looks like your link is dead as it now redirects to https://www.linkedin.com/static?key=incomplete_request_error

I'm not sure if there is a builtin mechanism that would specifically support user redirects in linkedin, but if the spammer injected HTML, they may have used meta tags to accomplish this.

e.g.

<meta http-equiv="refresh" content="5;URL=target_link_here">

Azeezah M
  • 53
  • 4