Are You Safe on LinkedIn?
False personas on LinkedIn may be targeted attacks, and requests to connect should be viewed with caution.
I am on LinkedIn. You probably are as well. I thought it was safe to use, but I've learned you need to be careful, because there are those who use LinkedIn to attack you and/or your organization.
They do this by creating false profiles and contact information. If you work on your computer, it can be used as an avenue (proxy) into your business systems. If you don't know the person requesting to connect with you, be careful; it may be an attack. Even if the LinkedIn profile looks legitimate, that does not mean it is reliable or truthful information.Who to Watch
A blog by Dell SecureWorks, "Hacker Group Creates Network of Fake LinkedIn Profiles," provides details of the falseware, how it works, and what the goals are for the false LinkedIn user. Dell SecureWorks Counter Threat Unit (CTU) researchers uncovered fake LinkedIn profiles generated by a group they call Threat Group-2889. The profiles are part of a self-referenced network of valid and maybe trusted LinkedIn users. The CTU researchers determined that the purpose of this network is to target potential victims through social engineering.What a False LinkedIn Contact Looks Like (It Looks Real)
Fake LinkedIn accounts fall into two categories: fully developed "Leader" personas and "Supporter" personas. The report includes a list of discovered personas in TG-2889 that may be worth looking at; who knows, you may have already been contacted. The profiles details suggest that substantial time and effort has been invested to create and maintain these personas. The photos used in the false accounts are most likely of innocent individuals who have no connection to this activity.
Leader personas display a full educational history, past job descriptions, affiliations, interests, endorsements, sometimes vocational qualifications, and LinkedIn group memberships. Six of the eight identified Leader personas in TG-2889 have more than 500 connections.
When a fake recruitment consultant displays a job description, it may be genuine. The job description can be a copy from a legitimate job posting from a real employer, used to entice you to respond.Fake Endorsements
The Supporter personas provide LinkedIn skills endorsements for Leader personas. This adds legitimacy to the Leader personas, making these accounts appear as less of a threat. Most of the Supporter accounts endorsed skills listed on the Leader profiles. CTU researchers believe that the threat actors use Supporter accounts that provide the Leader profiles with an established network of connections, which enhances the Leader's credibility.LinkedIn Users as Targets
Establishing a network of what appear to be genuine LinkedIn personas helps the attackers identify and research potential victims. They try to establish a relationship with individuals by contacting them directly, or by contacting one of the individual's LinkedIn connections. It is easier to establish a direct relationship if one of the fake personas is already in the individual's LinkedIn network.
The Leader personas claim (5 out of 8) to be recruitment consultants, who are looking for job candidates. This produces a trusted relationship. The attackers may then use spear phishing or malicious websites to compromise victims. The trusted relationship significantly improves the tactic's success.
Legitimate LinkedIn users have also endorsed Leader personas without knowing they are fake profiles. Endorsements are promulgated by the user's connections. This indicates that these legitimate users are part of the Leader personas' networks, and are likely TG-2889 targets. Examination of the profiles associated with the endorsements revealed 204 potential targets, a number which has probably increased since the Dell study was published in October. As shown in the figure below from the Dell report, most are based in the Middle East.
Responding to the LinkedIn Threat
You may observe that the profiles get revised, as employment history is regularly maintained. The persona changes and job updates may signal a new attack campaign is coming. Referencing particular types of business, e.g. financial, indicates that the threat promoters plan to target a specific vertical market.
There are likely other personas not yet identified. It is also possible there are other unidentified threat groups. CTU researchers advise organizations to educate their users of the specific and general risks in their report:
- Avoid contact with known fake personas
- Only connect with individuals you know and trust
- Use caution when engaging with members of colleagues' or friends' networks that they have not verified outside of LinkedIn.
- When evaluating employment offers, confirm the individual is legitimate by directly contacting the purported employer.
Organizations should police abuse of their brand on LinkedIn and other social media sites. When an organization discovers that a fraudulent LinkedIn persona is claiming an association with the organization, the organization should immediately contact LinkedIn. Posting false identities and misrepresenting any association with an organization is a breach of LinkedIn's terms and conditions.