• United States



The rise of LinkedIn fraud

Feb 22, 20165 mins
CybercrimeFraudInternet Security

There is an increasing number of fraudsters and hackers who are committing cyber crimes targeting LinkedIn users.

In the recent months I’ve started noticing something strange – too many connection requests from people I do not know. Since I’m working in the cybersecurity industry, I’m very careful with whom I add on LinkedIn. Most of these requests were what I would deem safe, but an alarming number of them started originating from obviously fake profiles. And for a good reason – I am the CEO of a company, making me a high-value target. What do these fraudsters need my information for? 

Most likely for phishing campaigns – they are among the most popular means to acquiring a target’s security credentials and personal data. One report revealed a large number of hackers who were speculated to be have operating out of Iran. Creating dozens of fake LinkedIn accounts by posing as corporate headhunters, they sought to snag working professionals in industries such as telecommunications and even government agencies. Once the approach and the trap is laid with successful results, the targets are enticed into giving up information such as business emails.

Acquiring important business emails is key, as this brings hackers the targets that they seek. When a successful phishing campaign is completed, the stolen employees’ sensitive data could be used to engage in more effective phishing campaigns all over again. By gaining access to significant data such as titles, reporting structures and emails, the hackers gain the means to assume the identity of senior management.

Even more-so, communicating through the hacker company emails could see malicious hackers pretend to be a member of the board, the CEO, a senior executive and most times, the CFO. Usually, the communication is made toward an employee who is below the hacker’s assumed position in the corporate hierarchy. There are plenty of instances when an employee is forced to transfer money, at the behest of the faux executive or senior to the hacking impersonator’s account.

Inversely, a hacker could also assume the identity of a supplier to the business, sending in a vendor email that can easily be mistaken as routine communication. Vendor emails are either compromised or spoofed with subtle changes, an extra character here or a removed one there – which would, in essence, make the email appear legitimate. The scale of such an operation only unravels when targeted employees seek to verify the transaction.

Another instance wherein emails are clearly deemed an effective hacking vulnerability is malware-laced attachments that tend to infect targeted computers entirely. The most prominent example of financial malware is that wielded by the Carbanak cyber gang. Altogether, the cybercriminal outfit is speculated to have stolen $1 billion from over 100 financial institutions around the world.

The payload is triggered when banking employees click a phishing email. This particular campaign targeted employees responsible for the handling of the financial institutions’ software and ATM protocols. The malware kicks up a gear with a remote access tool (RAT) that takes snapshots of the targeted computer’s screen before sending it back to an offshore hacker. The credentials displayed on the screen is used to siphon money from the bank accounts to the hackers’ accounts.

All of the above, entirely rendered plausible when hackers and fraudsters are setting up fake LinkedIn profiles.

Significantly, a lot of the fake, fraudster-led profiles have common themes and follow a specific pattern.

  • They predictably use photos of attractive women from stock images. Several profiles also contain pictures of real professionals, in order to seem more convincing.
  • The fraudulent accounts assume the identity as a recruiter of a fake firm. Alternatively, they also assume the mantle of being ‘self-employed.’
  • Lazily, a lot of fake profiles have their content copied from other profiles of real professionals.
  • The profiles are littered with keywords, so as to ensure that the profile shows up among the top search results.

Why recruiters, you ask? A lot of LinkedIn users are looking for better employment opportunities or, at the very least, seeking to catch the eye of a recruiter. Posing as a recruiter was the obvious choice for fraudulent users.

The epidemic of fake profiles grew to such an extent that the BBC published a story covering a report by security firm Symantec.

Security researcher Dick O-Brien told the publication: “Most of these fake accounts have been quite successful in gaining a significant network – one had 500 contacts. Some even managed to get endorsements from others.”

For its part, LinkedIn is usually adept in suspending accounts that are clearly in violation of certain rules set by the company, including one which decries the creation of fake profiles.

Dell’s counter-threat unit identified at least 25 fake profiles which, bemusingly, had links to over 200 legitimate LinkedIn profiles.

The ways to combat phishing campaigns or being wary of fake LinkedIn accounts is through employee awareness training. Adopting sensible caution is always a must, especially when the LinkedIn user contacting the employee isn’t one who is known personally. A good practice is to seek out confirmation about the individual by contacting the person’s employer directly. Or, as in my case, you might want to do a little “googling” on your own – this has worked great for me.

Let me know in comments if you had a similar experience and how you approached it.

Update Feb. 25, 2016 7:30 AM PT:  Since publication, I discovered a story, “3 Stunningly Good LinkedIn FAKE Profiles,”  which shows how believable and hard to recognize these accounts can be.  

Ondrej Krehel is the Founder of LIFARS, a global cybersecurity and digital forensics firm founded in 2014 with offices in New York City, Bratislava, London, Geneva, and Hong Kong. Mr. Krehel holds multiple professional designations and certifications, including that of Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH) and Certified Ethical Hacker Instructor (CEI) for which Mr. Krehel is one of ten people in the United States to hold such professional status. In addition, in 2012 to 2013, Mr. Krehel served as Adjunct Professor, St. Johns University, teaching a broad spectrum of cyber security issues and solutions.

Mr. Krehel anchors and directs LIFARS' multi-faceted global team providing tailored cyber and digital security solutions ranging from emergency response, to assessment, to monitoring, to re-architecture, and re-building of multiple systems and networks.

Previously, Mr. Krehel served as the Chief Information Security Officer of Identity Theft 911 LLC from October 2009 until 2013. He has over a decade of network and computer security experience investigating intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. Mr. Krehel has served as digital forensic examiner in the New York office of Stroz Friedberg, where he led computer security and forensics projects internationally and in the U.S., and was instrumental in detecting, investigating and combating intrusions and data breaches. Mr. Krehel also served as an IT technical security project leader at Loews Corporation, where he implemented technical security solutions, and was responsible for providing the first line of response for all cases involving the compromise of networking equipment, servers and end user machines. He began his career as a computer analyst at the government-owned utility company Slovenske Elektrarne A.S., in Bratislava, Slovakia, where he focused on information security and emergency security incident response for their nuclear, water energy and coal power plants.

Mr. Krehel is a member of the High Technology Crime Investigation Association (HTCIA), the Information Systems Security Certification Consortium (ISC) and the International Council of Electronic Commerce (EC Council). He has an M.S. degree in Mathematical Physics from Comenius University in Bratislava, and an Engineering Diploma from Technical University in Zvolen, Slovakia. He has also completed multiple courses in intrusion and forensics training, including Access Data Boot Camp and Niksun forensics training.

His professional work in cybersecurity and digital forensics has received media attention from CNN, Reuters, CNBC, Forbes, Bloomberg, The Wall Street Journal and The New York Times.

Mr. Krehel is a Speaker at the world's leading cybersecurity events for many years, including RSA in San Francisco, CEIC, HTCIA, RIMS, QuBit Prague, ICS South Africa, and is the author of numerous cyber industry articles.

The opinions expressed in this blog are those of Ondrej Krejel and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.