The rise of LinkedIn fraud

In the recent months I’ve started noticing something strange – too many connection requests from people I do not know. Since I’m working in the cybersecurity industry, I’m very careful with whom I add on LinkedIn. Most of these requests were what I would deem safe, but an alarming number of them started originating from obviously fake profiles. And for a good reason – I am the CEO of a company, making me a high-value target. What do these fraudsters need my information for? 

Most likely for phishing campaigns – they are among the most popular means to acquiring a target’s security credentials and personal data. One report revealed a large number of hackers who were speculated to be have operating out of Iran. Creating dozens of fake LinkedIn accounts by posing as corporate headhunters, they sought to snag working professionals in industries such as telecommunications and even government agencies. Once the approach and the trap is laid with successful results, the targets are enticed into giving up information such as business emails.

Acquiring important business emails is key, as this brings hackers the targets that they seek. When a successful phishing campaign is completed, the stolen employees’ sensitive data could be used to engage in more effective phishing campaigns all over again. By gaining access to significant data such as titles, reporting structures and emails, the hackers gain the means to assume the identity of senior management.

Even more-so, communicating through the hacker company emails could see malicious hackers pretend to be a member of the board, the CEO, a senior executive and most times, the CFO. Usually, the communication is made toward an employee who is below the hacker’s assumed position in the corporate hierarchy. There are plenty of instances when an employee is forced to transfer money, at the behest of the faux executive or senior to the hacking impersonator’s account.

Inversely, a hacker could also assume the identity of a supplier to the business, sending in a vendor email that can easily be mistaken as routine communication. Vendor emails are either compromised or spoofed with subtle changes, an extra character here or a removed one there – which would, in essence, make the email appear legitimate. The scale of such an operation only unravels when targeted employees seek to verify the transaction.

Another instance wherein emails are clearly deemed an effective hacking vulnerability is malware-laced attachments that tend to infect targeted computers entirely. The most prominent example of financial malware is that wielded by the Carbanak cyber gang. Altogether, the cybercriminal outfit is speculated to have stolen $1 billion from over 100 financial institutions around the world.

The payload is triggered when banking employees click a phishing email. This particular campaign targeted employees responsible for the handling of the financial institutions’ software and ATM protocols. The malware kicks up a gear with a remote access tool (RAT) that takes snapshots of the targeted computer’s screen before sending it back to an offshore hacker. The credentials displayed on the screen is used to siphon money from the bank accounts to the hackers’ accounts.

All of the above, entirely rendered plausible when hackers and fraudsters are setting up fake LinkedIn profiles.

Significantly, a lot of the fake, fraudster-led profiles have common themes and follow a specific pattern.

• They predictably use photos of attractive women from stock images. Several profiles also contain pictures of real professionals, in order to seem more convincing.
• The fraudulent accounts assume the identity as a recruiter of a fake firm. Alternatively, they also assume the mantle of being ‘self-employed.’
• Lazily, a lot of fake profiles have their content copied from other profiles of real professionals.
• The profiles are littered with keywords, so as to ensure that the profile shows up among the top search results.

Why recruiters, you ask? A lot of LinkedIn users are looking for better employment opportunities or, at the very least, seeking to catch the eye of a recruiter. Posing as a recruiter was the obvious choice for fraudulent users.

The epidemic of fake profiles grew to such an extent that the BBC published a story covering a report by security firm Symantec.

Security researcher Dick O-Brien told the publication: “Most of these fake accounts have been quite successful in gaining a significant network – one had 500 contacts. Some even managed to get endorsements from others.”

For its part, LinkedIn is usually adept in suspending accounts that are clearly in violation of certain rules set by the company, including one which decries the creation of fake profiles.

Dell’s counter-threat unit identified at least 25 fake profiles which, bemusingly, had links to over 200 legitimate LinkedIn profiles.

The ways to combat phishing campaigns or being wary of fake LinkedIn accounts is through employee awareness training. Adopting sensible caution is always a must, especially when the LinkedIn user contacting the employee isn’t one who is known personally. A good practice is to seek out confirmation about the individual by contacting the person’s employer directly. Or, as in my case, you might want to do a little “googling” on your own – this has worked great for me.

Let me know in comments if you had a similar experience and how you approached it.

Update Feb. 25, 2016 7:30 AM PT:  Since publication, I discovered a story, “3 Stunningly Good LinkedIn FAKE Profiles,”  which shows how believable and hard to recognize these accounts can be.