I don’t think anyone will be too surprised if I mention receiving yet another fake email. This time I’ve received two emails claiming that I have new LinkedIn messages. Given the email address that it was sent to, I’m wondering if this is a result of an information leak that LinkedIn apparently experienced back in June 2012.
I received two email messages last week, with pretty much the same content, with a subject header of ‘LinkedIn new messages’. Both of the emails were supposedly LinkedIn ‘Invitation reminders’, and on first glance, I didn’t think that there was much wrong with them.
Thinking that I had a LinkedIn message, I checked my LinkedIn Inbox. Luckily though, I did this by typing https://www.linkedin.com/ into my web browser and logging in, and not by clicking on the link that the email sender had so conveniently provided for me.
The LinkedIn website said that there weren’t any new messages. That’s when I looked at the emails a bit more closely, and it was here that I realised that there wasn’t much right with them.
None of the ‘Received:’ headers mentioned a host in the linkedin.com domain, nor any other domain related to LinkedIn. The ‘Return-Path:’ header address was from a completely different domain to the ‘From:’ header address, and a completely different top-level domain for that matter. The ‘Message-Id:’ header had yet a third domain in it, the first part of which looked like a string of 25 random lower case letters. The same random string appeared in the first ‘Received:’ header, but with a completely different domain ending.
The part that stuck out like a sort thumb though, was that the hyperlinks corresponding to the sender’s name, ‘Go to InBox’, and ‘Login to your LinkedIn account to Unsubscribe.’, were nothing to do with LinkedIn and were all three different URLs with two things in common. They were all PHP scripts, and they all ended in ‘?c005’.
None of this is overly surprising, however the main reason that I am mentioning this is because of the particular recipient’s (that is, my) email address. Remember the ‘Millions of LinkedIn passwords reportedly leaked‘ incident back in June? When that happened, I not only changed my LinkedIn password but also changed the email address that I was using for LinkedIn. Both the old and new LinkedIn email addresses contain a string of four random digits, hence they were unlikely to have been guessed. These two fake emails were sent to my old LinkedIn email address, which is making me wonder if email addresses were also leaked.
Another interesting twist to the story, is that these two separate emails, from separate sources, seem to be linked. The first one claimed ‘There are a total of 5 messages awaiting your response’, and the second cleverly claimed ‘There are a total of 6 messages awaiting your response’. As it turns out, I didn’t have that many messages awaiting my response but I’m curious as to why the sender picked 5 and 6. Did I have four messages awaiting my response at the time of the leak, and that fact was also leaked? Who knows.