Imperial, California - Hackers have begun using LinkedIn, the popular social network for business professionals, to create better phishing attacks. Already, one breach – at Vevo – has been attributed to the practice.
According to a report by USA Today:
Cybersecurity firms say criminals have figured out how to subvert the network by posing as authentic, boring, cubicle-office dwellers.
They’re also posing as exotic looking female photographers and high-level executives that don’t actually have LinkedIn profiles.
It starts with a simple request to connect. LinkedIn is all about connections and networking and given the generally constructive nature of the network—people tend to be a little more trusting.
That’s apparently a mistake.
And that’s honestly the saddest part about this. There is an unfortunate cycle of life on the internet, people forget before Facebook was awash with fake news and catfish accounts that it was a social network for American college students. My high school girlfriend met and picked her roommate for her freshman year at Georgetown on Facebook. Nowadays that could get you killed.
My point is, here is yet another place on the internet where the good faith is gone. For your own safety it’s best to best skeptical of every new request, be mindful of any information you disclose and to whom. It’s just sad.
The most common way hackers are exploiting LinkedIn is to enhance their phishing attacks. This is called spearphishing. It’s a practice where hackers socially engineer a believable touchpoint – usually an email – that it will convince a person to take the desired action. A lot of the time the target isn’t the person being phished, but rather where that person works. That individual’s computer or credentials could serve as an access point to a larger network.
When you think about it, what better place to grab the details to create the perfect email to phish someone at work than their LinkedIn profile? You can find email addresses, work histories, connections. It’s a bounty of details.
And then there’s a couple of other more niche ways that LinkedIn has been exploited as well.
One is just a take on the Facebook play of creating a fake profile and playing the long game. This is relatively low stakes and can pay off big time even with a low ratio of success.
The other is to create profiles for people that don’t have them. Another Facebook play, but one made more effective by the fact that the hackers can typically use Wikipedia pages to convincingly pose as high-level executives in big companies.
The bottom line is that you need to start being more careful on LinkedIn.
If you get a request from someone you don’t know, check and see if you have any mutual connections. Be guarded. And be careful what you put in writing.
Above all, use common sense.