LinkedIn is rapidly becoming an essential platform for organizations to grow their brand, recruit employees, and keep their followers informed on the organization’s latest products and other corporate news. As the channel's value grows, so too does its value to bad actors. Last month, Michael Dell raised the specter of increasing numbers of fake users on the platform. A recent Reuters article described how, "Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets."
However, here we'll explore a new type of attack we identified in which a bad actor fabricates their credentials, experience, positions etc. to impersonate an individual to reach out to a real person deemed to have high value. As part of the fraud initiative, these bad actors also establish credibility by making other connections that are relevant to their mark. These accounts are not operated by bots, are not necessarily state actors, nor are they used for a massive distribution of malware, instead, they distinguish themselves by executing 1:1 social engineering campaigns.Our analysts started researching bad actors on LinkedIn when our platform surfaced a number anomalies in certain accounts connected to our own executive team members.
In one case, a person purporting to be an associate professor at a top-tier research university recently reached out to one our executives to discuss possible research collaboration. The requestor seemed bona fide at first glance. In fact, LinkedIn provided a very impressive list of shared connections - including a high-powered cybersecurity insider. The “shared” connections seems to point to a deliberate attempt to hack LinkedIn’s features designed to build trust in the platform.
To validate the finding, we followed-up with a manual verification process. Close examination of the profile showed it was atypically thin for a professor, and additional background checks also revealed the person was not to be found in the university’s directory. The requestor’s name did match the name on a referenced patent but this could have been socially engineered. We also reached out to this individual directly in an attempt to understand his true motivations, which while not entirely revealing, did tend to confirm our suspicions that his intentions were fraudulent. Our team even followed up with people on the list of shared connection and determined that no one really knew this individual. Needless to say, the communications with the actor ceased and all parties were alerted as to what was taking place.
Guide: Spear Phishing, what it is all about
and how it affects our everyday life
At an individual level, this approach may work, but at the enterprise level, with hundreds or thousands of employees, it’s not scalable and the potential risk of malicious activity escalates rapidly. LinkedIn has become a valuable channel for phishing attacks as most users access the platform at work, read: on networked computers. Employees receiving connection requests may underestimate the risks, especially when the ultimate target may be the organization itself.
If you’re a LinkedIn user or you want to encourage your teams to use the social platform more effectively for business, such sophisticated campaigns should give you pause. Think about all the unfamiliar connection requests you’ve received over your social life. And when you aggregate LinkedIn accounts across your entire workforce, there becomes considerable opportunity for bad actors to systematically infiltrate the entire corporate ecosystem including 3rd party relationships.
Safeguard Cyber identifies suspicious LinkedIn accounts for our clients and tags them for further analysis. Risk scoring is applied to identify bad actors, trusted accounts, and those that remain under suspicion. With the introduction of SafeGuardMe, “Safeguarded” account owners can be notified of suspicious and bad actors in their connections and provided with personalized remediation options. As new types of malicious accounts threats emerge, Safeguard Cyber will update its threat signatures to continually identify potential bad actors across the entire span of an organization's employee connections base. Further, by leveraging our ever-expanding bad actor/bot database across the larger network of safeguarded accounts, bad actor elimination becomes more efficient and comprehensive.