¡Cuidado! se traduce al inglés como "Caution!" o "Watch out!" dependiendo del contexto.

Security researchers have detected a phishing campaign that uses spoofed LinkedIn notification emails to distribute malware known as the ConnectWise Remote Access Trojan (RAT). This attack, which is suspected to have begun in May 2024, mimics a message that LinkedIn sends when a user receives an InMail. It is important to note that LinkedIn only allows Premium users to send InMails to people they are not connected to, making this type of email an attractive target for cybercriminals.

The report from the cybersecurity experts at Cofense Intelligence details that these emails contain several red flags. First, the design of the email is outdated, as LinkedIn stopped using it almost five years ago. Additionally, the sender, who is purportedly a sales director or project manager, does not correspond to any real person, and the attached image is labeled as “executive16.png.” Furthermore, the profile picture used in the email belongs to Cho So-young, the president of the Korean Society of Civil Engineering Law.

The name of the company that allegedly employs the sender, “DONGJIN Weidmüller Korea Ind,” also does not exist. Each email includes buttons labeled “Read more” and “Reply,” but both are designed to initiate the download of ConnectWise, a remote management tool. Originally, ConnectWise ScreenConnect was legitimate software for remote desktop support and management, but cybercriminals have repurposed it into a RAT to gain unauthorized control over systems.

A concerning aspect is that these emails managed to bypass security filters due to how the authentication settings on the recipient's system were configured. Although the email failed SPF (Sender Policy Framework) verification and was not signed with DKIM (DomainKeys Identified Mail), it was not completely rejected by the system. This occurred because the email security policy, specifically DMARC (Domain-based Message Authentication, Reporting, and Conformance), was set to "oreject," rather than outright rejecting suspicious emails. This configuration allowed the email to be marked as spam, yet it still reached the recipient's inbox.