That's an excellent question, especially since LinkedIn publishes an SPF record specifying both the IP ranges and the second-level domain name of legitimate MXes for its mail; prior to the DNS hijack, I'm not sure how it would be possible to carry out the phishing attack without giving any hint of foul play. (I do implicitly assume such hints would've stopped the target from clicking the bogus link, but given the way he's described in the article, I think that's not too unreasonable an assumption.)

SPF only checks the message envelope. His target's email provider may not correlate the MAIL FROM statement in the envelope with the From header inside of the message content. Some large webmail providers will use this mismatch as a cue to send a file to the spam folder.

Delivering a targeted phish requires situational awareness, but it's quite feasible to pull off something convincing.

http://blog.strategiccyber.com/2013/10/03/email-delivery-wha...

But if you control the DNS, you can serve a fake LinkedIn from linkedin.com. Can't do https though.

Edit: Ignore it, I forgot he didn't control the DNS at that point. So this is invalid.

But the attacker didn't yet control the DNS when he sent the link to the exploit; he needed the exploit in order to compromise the router and put the DNS hijack in place. So I'm not sure how the hell it worked.

Note that at that point in the attack, he had not yet gained access to the router, so he didn't control DNS yet.

Oh yes, I missed that fact. Sorry.

Exactly, I'm not much of a techie, but checking the domains of suspicious links is the first thing I do.

The problem with most phishing emails are that they suck - they don't even pass a cursory smell test. A linkedin from someone I know who I'm not already connected with (not too hard to figure out potential connections especially if you've worked for small companies), worded exactly like a linked in email only changing the accept button link? Odds are I'd click and not look at the link target.