Analysis of a LinkedIn Scam Message

In this article I'll outline my Internet Forensics analysis and tracing of a suspicious LinkedIn message that I received on February 12, 2020, and explain the scam behind it.

Unlike other suspicious messages of this kind which I have received in the past, this one came from someone with a LinkedIn Recruiter (Premium) account, though not from an existing connection or someone that I recognized.

I was reasonably sure that the name on the account was real, because LinkedIn Recruiter accounts are quite expensive paid accounts that are not easily created.

Though the message subject was "Job Opportunity" I quite quickly saw that the contents of the message fitted a common scammer tactic, that of offering a fake "mystery shopper" job.

With that in mind, I decided to see what I could learn about the sender, the scam and how it could have originated from a legitimate LinkedIn account.

The Scam Message I Received

How the "Mystery Shopper" job scam works

Typically, the scammer would follow-up with those who responded to the first contact (such as being contacted by message on LinkedIn) to arrange an online interview, after the supply of personal details and sometimes answering some simple qualifying questions.

In most cases, the "interview" is followed by the offer a fake job.

As part of job, the new hire will be informed that they will be sent a check by mail, UPS, Fedex or DHL, usually for several thousand dollars, which they must deposit in their own bank account, then use the funds to perform "mystery shopping" tasks, such as buying gift cards or sending money through Western Union or Moneygram at a supermarket or other store to "test their customer service."

The gift card details have to be sent to the scammer as proof the work was done. They then use the gift card details to buy merchandise for resale or resell the card value at a discount.

Transferred money goes to the scammers, or even to other victims, who have been hired to receive payments and then forward them on.

The check that was sent will be forged or stolen. This will eventually be detected by the bank within days or as long as several weeks. Then the deposit will be reversed, leaving the victim on the hook to their bank, if they had used or withdrawn the funds as instructed for their new "job."

Analysis of the Linked Google Drive Document

After reviewing the message and recognizing that it was almost certainly a scam, I followed the link in the message to investigate further. This led to a PDF document stored on a Google Drive account.

The PDF, as seen below, is typical of a mystery shopper scam.

In this case the scammer asks for some personal details to be emailed to a Gmail account, "intellishopservicemanager@gmail.com." This is an email address operated by the scammer and has no connection to the owner of the LinkedIn account described above.

I used the menu option to the right of a displayed document in Google Drive, to review the details (properties) of the file on view.

In this case we can see that the PDF file had been uploaded just before the LinkedIn message was sent. And the owner/uploader was "Rick Caldwell."

Not seen in the image below is that if "Rick Caldwell" was hovered over with the mouse, a pop-up appeared showing that the owner/uploader's email address was also "intellishopservicemanager@gmail.com."

Metadata Review of the PDF file

I downloaded the actual PDF file from Google drive and reviewed the basic metadata that is embedded in PDF files.

In Adobe Acrobat Reader, the metadata may be viewed from the "Properties" selection under the "File" drop-down menu.

I saw from the date-stamps that the PDF had been created just prior to the upload, originating from Microsoft Word. The author's name in the PDF was listed as "Field Agent."

That name was likely passed through automatically from the settings within the copy of Microsoft Word that was used to create the original Word file, the source for the PDF.

In this case, neither the method of creation nor the author name was likely to be helpful in identifying the scammer. In previous cases I have been able to get an actual identity and other useful facts from the metadata - so it always worth checking.

Reporting the PDF to Google

Returning to the Google Drive page, I accessed the "reporting" drop-down menu and filed a report to Google for the document, flagging it as illegal.

The Google reporting tool accepted the report.

Reporting the Scammer to LinkedIn

I then returned to the original message in LinkedIn and accessed LinkedIn's reporting tool through the ... menu in the top right.

I selected "It's spam or a scam."

Then "It's a scam, phishing or malware."

LinkedIn then flagged the message, moved it to the spam folder in my message and hopefully flagged the account for an investigation.

Based on the fact that I was not a connection of the real account owner, I highly doubt I was the only recipient, though some may just have ignored or deleted the message, without reporting it to LinkedIn as I did.

Possible Next Steps

Had I been engaged professionally to investigate and advise the account owner or a victim, I would have continued to:

• Research the Gmail account for linked social media profiles.
• Evaluate the options for replying to the Gmail address with tracking. This would be to attempt to identify the location or any other details of the scammer.
• Search for online references to Rick Caldwell and the Gmail address. There are forums and sites that aggregate reports of scammer identities, the messages and documents used and sometimes the email header metadata from the scammers direct emails.

Lessons Learned

• Account takeovers of this kind can happen to almost anyone.
• Using the same password on multiple sites makes you more susceptible to an account takeover.
• Everyone should use a UNIQUE password for LinkedIn and all important sites.
• Clicking on unknown and unsolicited links is generally not a good idea, unless you know what you are doing.

Note: in this case the link was not likely to be malicious as it led to a file on Google Drive and not to some unknown or untrustworthy website. Google scans all uploaded files and common files like Microsoft Office documents, spreadsheets and Adobe Acrobat PDF are typically safe.