Social Networking: Who Are You Connecting With?

Most of us know to ignore those emails from Nigerian princes claiming to need your bank details so they can deposit millions of pounds into your account. Or that message from a stranger who is stranded in a foreign city with no wallet and will repay you double the amount you lend…promise… 

But would you ignore an approach from a business profile on LinkedIn who already has links to your connections?

According to our email security partner Symantec, a growing number of hackers are using LinkedIn to create fake profiles and mislead business professionals into giving up some of their personal information.

Symantec recently conducted an investigation which found over two dozen fake profiles, all part of a targeted attack on LinkedIn’s user base. The profiles were all posing as recruiters who mainly got their photos from stock websites or even various ‘adult’ sites. The jobs descriptions they posted were copied from existing adverts.

The thing about posing is a recruiter is that most people on LinkedIn expect to get a cold call approach from people in this industry. One of the scammers had duped over 500 people on LinkedIn into connecting with them, and some of the profiles were even able to showcase people who had endorsed them as a recruiter.

All this is in aid of getting profile information which they can use in an attack later – perhaps a phishing attack, or perhaps some email spoofing which is something I talked about in my previous blog post.

It’s a very sinister form of social engineering (not that you’d find a case of social engineering that wasn’t sinister). It’s about relying on the human factor and trying to get people to let their guard down because they can see something in it for them – those who are searching for a new job, for example. Or those who are big on celebrities, which I assume was the ploy when I had this familiar looking guy appear as ‘someone I might know’.

This one isn’t a bad attempt at a real profile – however the engagement photo (not professional enough for LinkedIn Wills!) and the small amount of connections triggered a fair amount of suspicion.

However, less obvious accounts can cause some damage. Let’s say someone decides to imitate a political figure or a well-known businessman who currently has no internet footprint. It can take someone a minute of searching to identify that they don’t already have a Facebook, Twitter or LinkedIn account. And there’s no real security measure in place that would stop you from creating a fake account (at least not at first).

Once the account is up and running, you start by adding a few random people that you could imagine your fake account would have some sort of connection with. Providing they don’t get wise to the account being fake and they accept you, you then have the building blocks in place.

It becomes clear that the account which you’ve just added has some connections or friends, who notice you’re a new found connection and they want to be part of it…they then add you and you accept without reluctance.

As you start to grow your fake account’s network by sharing posts, joining groups and tricking more mistaken people into adding you, then you will find that the social network does the hard work for you – you start to become well advertised and more people start to add you because they think you are genuine.

And why not, considering at this stage you have nearly 50 connections / friends – all 50 surely cannot be tricked into thinking you’re not real?

The more infamous your fake account becomes, the more power you have at your disposal. Your connections have automatically warranted their trust to you because you pressed that all powerful “Accept” button. You can talk to them, ask them for information, or potentially steal as much personal information that is available to you – after all some social networking sites (especially Facebook) makes available a great deal more information once you have accepted their ‘Friends Request’.

Symantec worked with LinkedIn to remove the fake accounts which were part of the recruiter attack. They wrote an article which you can read here about how they identified them and some advice for LinkedIn users accepting new connections.

In summary though: be sceptical. And think about how the information you’re posting online could be viewed by someone with less than honourable intentions.

Which is also the subject of Sophos’ Advent Calendar today – Think Before You Share On Social Media.