Primer

Linktree is used primarily in Instagram profiles to allow users to view a customizable page to that user account with all their social media links, including Facebook, YouTube, etc.

Linktree does not sanitize any links used so that anyone could put anything in there, including phishing links and malicious file downloads.

The reason why this works so well is because a lot of URL analysis tools only analyze what is being landed in the user's inbox. If that URL has a user go through several hoops before clicking on that phishing link and navigating through Linktree, then the URL analysis tool will have a harder time protecting the user.

Getting Started

1. Navigate to https://linktr.ee and grab yourself a fresh URL (looks like https://linktr.ee/victimuser)

   1. One caveat with this is the profile can only be changed once every 7 days

Once you change your username, your current QR code and URL for @victimuser will no longer work. Your username can only be changed once every 7 days.

2. Change the profile image to match the target profile picture (i.e., go to their website and grab the banner image, or grab someone from HR's profile picture from LinkedIn)

3. Then, add your links to the profile (recommendation would be to add multiple to make it look legitimately like a Linktree account would)

   1. Linktree also comes with its handy-dandy click counter!

4. The Linktree will resemble what is in the phone icon on the right-hand side of the screen.

5. QR Code analysis won't be able to defend against this!