In addition to being annoying, spam emails coming through LinkedIn could be a tool for Russian hackers to exploit zero-day vulnerabilities in iOS and Windows, according to cybersecurity researchers at Google. Zero-day vulnerabilities are security holes that are unknown to the developers of the software targeted by hackers.

According to research from Google's Threat Analysis Group (TAG), published on Wednesday, the malicious LinkedIn spam campaign targeted “government officials from Western European countries.” The zero-day vulnerability was found in WebKit, a rendering engine for Apple used by major iOS browsers.

If a target clicked on a malicious link in one of the LinkedIn spam emails, the user would be taken to a website controlled by the hackers, who could then steal authentication cookies from Google, Microsoft, LinkedIn, Facebook and Yahoo. But according to the Apple, this zero-day vulnerability, called CVE-2021-1879, was fixed by the company's developers in March 26.

Exact numbers are not known, but there are thousands of monthly alerts.

Shane Huntley, director of the Google TAG group, which organized the survey, wrote in a email to Motherboard saying that researchers do not have access to the exact number of people who have actually been hacked by LinkedIn spam. He says that the group sends “more than 4 alerts to our users every month about attempts by government-backed hackers or other illicit actors to infiltrate their accounts.”

Furthermore, Huntley also stated that there are “strong linkages between the attacks and previous known operations attributed to Russian government actors.” The fact is that hackers, Russian or otherwise, are indeed a big problem for LinkedIn. In late June, a report from another cybersecurity firm showed that hackers had leaked information from 700 million accounts of the professional platform, the equivalent of 92% of all LinkedIn users.

Image: Souvik Banerjee / Unsplash