Every day we send and receive requests to connect to people we know on social networks. LinkedIn is the world's largest professional network with 300 million members in over 200 countries and territories around the globe. It is a great platform to develop and cultivate business connections, but can be rife with deceit and fraud. Fraudsters also use the platform as a social engineering tool, allowing them to connect with professionals and try to lure them into disclosing their real contact details – work email is always best – and then use this email address to send spam, or worse, deliver malware.
When discussing these potential pitfalls with a group of executives recently, I talked about people’s willingness to interact with strangers on sites, such as LinkedIn, potentially revealing sensitive information or otherwise exposing themselves or their employers to scams. An example I took them through was a paper by Thomas Ryan of Provide Security, who set up a profile of a fictitious person named Robin Sage on LinkedIn, Facebook and Twitter.
The profile described Robin Sage as “a flirtatious 25-year-old woman working as a ‘cyber threat analyst’ at the U.S. Navy’s Network Warfare Command.” The paper [1] Thomas Ryan wrote about the experiment and how he used the Robin Sage profile to establish connections with “executives at government entities such as the NSA, DoD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.” Thomas concluded that, “the propagation of a false identity via social networking websites can be rampant and viral.”
Some of the executives were intrigued, but others believed that they couldn’t be fooled. So I decided to walk through them a live example of identifying a fraudster on LinkedIn.
I used a previous invitation request I received and took a look at the profile of a female claiming to be a “senior sales executive who can help me generate more sales leads.” The profile looks detailed and complete with more than 500 connections and even the profile picture looked legitimate. A Google Search for her name and company yield very little. Still suspicious, I use the website whoisology.com to do some vetting on the email address and associated website listed on her profile page. All of these are non-existent.
In further review of the profile, I suspect that the LinkedIn profile photo is not what it may seem, so I use the Reverse Image Search [2] from Google to see what similar photos exist, which results in a surprising find. The same photograph has been used for multiple LinkedIn accounts with different names. All the roles are similar in nature; some even purport to be recruiters. I also find links to an app on both the Google and Apple app stores, for a secure phone call application. One of the screen shots of the app is the same photo as the LinkedIn profile. This is clearly a case of someone reusing someone else’s photo.
There is no one single method to spot a fake account, though sometimes being a little bit suspicious helps. Here are some tips:
- First, the invitation will probably just contain the canned text mentioned above or some other generic text.
- Always check the profile before accepting an invitation, and do so via the LinkedIn message mechanism, not via the email received, as fake LinkedIn emails can cause more harm than checking.
- There may be simply illogical conditions. Why would someone with a degree from a top school or university, with a good job title and years of experience, have only a few connections, and now be asking you, a stranger, to connect?
- The profile might not have a photo, or the photo may be stolen from somebody else. Use the Google Image Search technique to see if it is a fake photo with a single click (sometimes).
- The profile may be incomplete, it may have misspellings (even in job titles), or the name might not be capitalized properly.
The nature of online social networking involves people establishing connections without having the opportunity to establish the person’s authenticity. This requires taking a leap of faith, which can easily be exploited by scammers. Think about the type of information you have posted in your profile, and ask yourself, “Have I given away too much information about myself and my company?” All too often I have seen security professionals who profess to not telling anyone the controls they have deployed in the environment, to the virtual world where they have no problem stating what solutions they manage or have implemented in their current organization. Care should be given to ensure that we are not making it even easier for cyber attackers to enter our places of employment.
[2] https://support.google.com/websearch/answer/1325808?hl=en