When most people think of LinkedIn, they think of it as a business networking site intended to help like-minded professionals connect. When threat actors think of LinkedIn, they see it as a great way to bypass your company's defenses.
The average person wouldn’t ever consider a social networking site as a gaping vulnerability into their company or corporation. But with global spending on cyberattack products and services predicted to exceed $6 trillion cumulatively over the next 5 years, the stakes are only set to get higher, as attackers take aim at enterprise IT infrastructures and databases that provide the largest potential payouts.
“Attackers' sophisticated social engineering tactics far exceed most organizations’ defensive capabilities," says Zach Lanier, Director of Research at Cylance. "That sophistication is only going to continue to grow in future. The perpetual cat-and-mouse game that both the public and private sectors have dealt with for years - and continue to deal with on a daily basis - has given rise to the repeated public exposure of financial, medical, governmental, and even critical infrastructure data. Meanwhile, attackers continue to break into some of the most secure organizations in the world, usually via the weakest link: the endpoint."
So how can professional networking sites such as LinkedIn put your enterprise at risk? Let’s take a look at some of the most commonly seen social engineering techniques, and how to guard against them.
As usage and adoption of the LinkedIn platform grows, so too does the interest of malicious actors. Companies have invested a large percentage of their budget in perimeter security and purchased products to block sites with poor reputation scores. However, LinkedIn handily circumvents both of these security layers.
Network filters don’t typically block LinkedIn, in order to allow employees to engage in online networking, chat or blog about the company in a professional environment, and for the HR department to use LinkedIn’s online job services to find new employees. LinkedIn is a popular and well-established site, so the majority of reputation-based security products will allow any employee to access the site.
Let’s define the ways attackers can utilize LinkedIn to compromise an organization:
Spear phishing is the easiest and quickest way an attacker can compromise an organization via an unsuspecting employee. For example, malicious attackers may send you a link via LinkedIn promising something enticing: a free gift, a job offer, or an important corporate connection, and so on. That link sends you to a compromised website which asks you to create a free account using your name, email address, company name and location in order to view the content.
The site may also ask you to create a unique username and password, which the site will save and pass onto the attacker. If you reuse usernames and passwords (as many people do), there is a chance that you may use that same information to log into your work systems, VPN, cloud servers, etc. All it takes is one person at a company to reuse their work login credentials for an attacker to potentially gain access to your entire corporate network and all of its data.
LinkedIn is the perfect playground for attackers who want to get easy, quick, and free access to 'insider' corporate information. It all comes down to social engineering – defined as taking advantage of unsuspecting users to give up information that will allow attackers to piece together an attack.
Here’s an example:
A threat actor creates a fake LinkedIn profile known as a Honeypot that looks convincing and enticing to a person in their target industry. The profile picture will show an attractive, professional-looking person with a large network of connections. Their job will be at an influential company such as Google or NASA. The attacker then uses the Honeypot profile to 'Friend' a manager at your company.
Once they’re connected to that person, the attacker can then fairly easily add more and more people from your organization, since many people will see that familiar manager as a mutual friend, and therefore think that the new connection must be legitimate. The attacker banks on the fact that many busy professionals don’t dig too deeply into the profiles of people who ask to connect on LinkedIn beyond clicking on the profile and taking a cursory glance at their last few jobs.
Eventually, the threat actor has gathered a large circle of legitimate employees of their target company on LinkedIn. They can then start Phase 2 of their social engineering scam, which would typically be to message their new ‘friends’ and start conversations about their company under the pretense of seeking a job there.
They may ask questions about executives in charge of hiring, what the company does, how it works, etc. They may spin stories about how their dream has always been to work at this company, about how they are one rent payment away from losing their apartment – anything to make employees feel sorry for them and want to help them.
The unsuspecting victims in this case may then give out small nuggets of data that, while seemingly harmless on their own, allow the attacker to accumulate enough facts over time to eventually pass muster as an actual employee.
Suddenly, the attacker now knows that your boss isn’t on LinkedIn much as she prefers to network via Facebook. They know that the Marketing team is currently at an industry conference in Germany during February. They know the names of 50 people at your company, and each of those people may be willing to prep them for an interview and meet them for coffee in the company kitchen – after holding the security door open for them - if they mention they’re coming in for a (fake) job interview.
In these days of artificial ‘Friending’ via social media, many people are all too willing to like and trust a person they’ve only chatted to briefly online, despite the very real potential for their friendliness and empathy to be abused.
Should an attacker strike it lucky and connect with the company chatterbox – a person who loves sharing gossip both personal and corporate – the security risk increases. People who would blindly trust a stranger with their personal gossip make an easy target for an attacker to gather intel to be used for phishing campaigns or similar attacks. Instead of wasting time sending phishing emails to an entire organization with thousands of employees, the attacker can then precisely target just a handful of people using insider info gained from such a person.
For example, if Mr. or Ms. Chatterbox has told them that Bill who works in accounting has a soft spot for animal rescue groups and owns a greyhound, there is a higher than average chance he’ll read an unsolicited email newsletter about saving abused greyhounds. He may even click on a link marked ‘DONATE,’ which invisibly downloads a keylogger to his company computer. And presto! The attacker has gained access to his corporate network - and the financial records on his local machine.
Corporate email scanning is almost completely circumvented in a LinkedIn social engineering attack, because most people sign into LinkedIn using their personal email addresses - not through their company email.
Also, many professionals on LinkedIn post their personal email address in their summary at the top of their profile, particularly if they are seeking new employment and are keen to keep this a secret from their boss. Because users are logging in through their personal email addresses, emails sent to and from these accounts may not be scanned or encrypted by their company email security software.
The fact of the matter is if an attacker can get around your perimeter security via social engineering, the only thing left to stop them from gaining access to your company network and servers is your endpoint security solution. That means protecting each individual endpoint is critical.
The likelihood of receiving an email with a .exe attachment is not as high as it used to be, before awareness of this particular attack vector spread. Most email providers have stopped allowing .exe files to be sent as an attachment. But this won’t stop actors from sending a malicious Word or Excel document - a file we may be less wary of opening – or an infected link.
The reality is, most people don’t even know that LinkedIn fraud exists. People trust that if a person has an account on the platform, they are at least a real person. However, there are still a lot of new users who will blindly accept any friends or connections that come through their profile, hoping to grow their network and become more popular the way they would grow their Facebook or Twitter following. But LinkedIn friends aren’t the same as Twitter followers, as they can access all your personal information. And having more connections on LinkedIn doesn’t mean you’re more popular.
For those who know at least a little bit about LinkedIn security, receiving a friend request from a profile with no connections would be an obvious red flag. But if the account has a lot of connections - particularly shared company connections - it’s less likely to stand out to a user as being suspicious. By utilizing ‘under the table’ online services like Fiverr, attackers can spend very little money to automatically generate a large network. Groups like the LinkedIn Open Network (LION) allow potential attackers to find a large group of connections at minimal coast.
Many recruiters on LinkedIn will accept invitations from anyone and everyone with even a tenuous industry connection. They are less cautious than the average user because they are trying to build a potential candidate pool to fill open positions.
This drive to connect can very quickly turn them into Linkedin power users. The more experienced a recruiter gets, the more tips and tricks he or she will learn to get to the cream of the crop as quickly as possible, including automating their often tedious LinkedIn fishing for potential job candidates.
If the attacker connects to one or more of your company’s recruiters and then runs a script like this on their profile page, then a great number of connections at your company can be made legitimately without using services like Fiverr or connecting with LION members.
Yes and no. LinkedIn has a number of policies in place around sending invites to connect with strangers, but it’s really only a red flag to their security systems when a large number of people reject a user’s connection request and select the option that warns LinkedIn, “I Don’t Know This Person.” But if the attacker is connected with many other people they know, then chances are the user will accept the invite.
Now let’s say they don’t, and enough people do click “I Don’t Know This Person,” then the potential attacker would have to enter a valid email address. So, you are protected at this point, right? Not really.
LinkedIn has a great number of forgiveness policies built around their services, because people are – well, people. We’re human. We forget passwords and usernames. We want to connect with our favorite author or actor or the guy we met at the convention who said he could get us a job at XYZ company.
The second time you get caught then you must call and have your account unlocked. The third time you can’t make the call, but if you buy a premium plan with LinkedIn they will let it go again. Although forgiveness may be a human trait, with automated forgiveness, an attacker is given multiple chances to chip away at a company’s defenses and gain access to its employees – and all without leaving the privacy of their home.
Employee training is a great way to start. If you run or manage a business or enterprise, security awareness training should be top of your list when it comes to planning your cyber defense strategy for 2017 and beyond. Basic training is free and there are plenty of resources available on the Internet to help you educate your employees on “what not to click.”
Where LinkedIn is concerned, all employees should be reminded regularly via your internal eblasts and newsletters not to accept LinkedIn Friend Requests from people they do not know. They should be made aware that just because a LinkedIn user appears to have connections to the company, making a fake profile is extremely easy and adding company ‘friends’ can be automated.
Some of these might be the sign of a lazy or busy professional, but three or more of these signs on a LinkedIn profile may indicate that it’s fake:
1. “Too good to be true” credentials – It is very unlikely that an executive from a top brand name in your industry would send an unsolicited friend request to you if you’re an intern. If a friend request sounds too good to be true – it probably is.
2. A sudden increase in number of friend requests – We get that you’re a likable and popular person. But if you suddenly experience a dramatic increase in the number of friend requests you receive each week, this could be a tell-tale sign of an attacker trying very hard to get you to connect so they can view your full profile – and all the useful company info it may contain.
3. Odd misspellings or incorrect capitalization - If John Smith’s profile reads john Smith or jOhn SmiTh, this may mean the profile was created by someone in a hurry who is making multiple profiles and not proofreading carefully.
4. Only one job listed – Despite the profile picture showing someone who is clearly not an intern or recent graduate.
5. Profile picture looks too ‘perfect’ – If the profile picture looks like it is taken from a stock image site or cropped from an online newspaper or magazine, it probably is. Try uploading it to Google Images to do a reverse image search (https://images.google.com/) and see if you get a match.
6. Location does not match company – If someone says they currently live in Iceland but work at the Google headquarters in Silicon Valley, unless they list their job as 'telecommute,' this may be a flag for you to look deeper into the profile.
7. Weird location – Along the same lines, if you live and work in New York, but someone from Kentucky in a different industry is randomly requesting to connect with you, it’s wise to ask why.
8. Education timeline does not match work history – This one is tough to spot at first glance, but if someone has 10 jobs listed going back to 1976, and their graduation date is 2011, that’s obviously not right.
9. No Recommendations – It is a lot of work to create fake ‘Recommendations’ (endorsements written by ex-employers or co-workers), so most scammers skip this step.
10. No engagement with LinkedIn Community – If a profile says that this user is the CEO of a big IT firm, but they are not members of any online IT forums, clubs or societies, nor have they posted anything on their timeline, either they have just joined LinkedIn or this is a red flag.
11. No online published work – If the profile says that the user is a writer or marketer, but they have not included any links to past work, such as blogs, websites, or LinkedIn Pulse blogs, chances are this is a fake profile.
12. No work samples – Again, if the person’s job title says they are an experienced artist or designer but they have no links to an online portfolio and no work samples included on the page, this is suspect.
13. URL is not customized – On LinkedIn, it’s possible to customize your profile URL – ‘JohnSmith1966,’ for example. A scammer will usually neglect this step and the profile page URL will have a number instead of a name at the end of it – ‘https://www.linkedin.com/in/53162516932615’, for example.
14. Incorrect industry information – If someone claims to have “been using Photoshop since 1980,” this is obviously untrue because the program wasn’t invented till 1988. This is another one that can be hard to spot.
You’ll be doing LinkedIn and all of its users a favor by flagging suspected fake profiles.
1. Click the down arrow next to ‘Send a Message or Send InMail’ in the top section of the member’s profile.
2. Select ‘Block or Report’.
3. Select the ‘Report’ option to submit the profile to LinkedIn.
4. Click Send.
The dropdown for the ‘Report’ option reads:
Despite the best efforts of employers, employees still love to click on things. That’s why it’s a good policy to deploy an endpoint security product that actually works. To defend your company against phishing and email-based attacks, script-blocking and macro-based protections need to be in place. Exploit prevention is also important. Having a security product that covers these areas is crucial for blocking these social engineering attempts.
While we can’t stop your employees from downloading endless cat pictures, we do have the tools and technology to protect your company from any fallout. Our flagship endpoint protection productCylancePROTECT® covers your bases in all the areas mentioned above, from script blocking to advanced macro control.
CylancePROTECT harnesses the power of artificial intelligence and machine learning to prevent any nasties your employees inadvertently download from running, blocking them pre-execution, and providing you with peace of mind.
To learn more about the power of CylancePROTECT, contact a Cylance expert to get started.