[icebraining]

Hmm, I thought ClearClick would catch that, but apparently it doesn't. That's unnerving. Even ABE lets it through.

That said, it would still require the victim to load the fake LinkedIn page (with the wrong domain), which is more likely to look suspicious.

And it would've loaded the router page after the POST (instead of redirecting to LinkedIn), which would definitively signal that something was wrong.

[joev_]

Nah, you just set target="iframe name" on the form and post into a (hidden) iframe. Then in 2 seconds you redirect to LinkedIn. In my experience, getting clicks from targets is easy. One simple way is to show a page with a single link that just says "Redirecting". After a moment most users will just click the link.