Everybody uses LinkedIn. Everybody. I mean, at last count the site had 722 million subscribers. That’s what makes the site so incredibly useful for networking, job hunting, recruiting, and promoting your business.
It’s also what makes LinkedIn a huge security threat.
You see, LinkedIn does not require any authorization for you to associate your account with a company. All you have to do is say you work somewhere—and LinkedIn trusts that you are telling the truth about yourself.
Want to claim you are an Executive Director at Microsoft? Go for it. An astronaut in the employ of SpaceX? Done! There’s no training required. Just type whatever identity you desire on LinkedIn.
So what?
Does this have any security implications for you and your business? You bet it does.
One problem is that someone can say they’re with your company, even when they’re not. This can expose you to reputational risk and trust issues if malicious actors perpetrate fraud, troll other accounts, or otherwise use the false pretense of being one of your employees to do harm to others.
But more significant risk exposure to your company arises when a LinkedIn fraudster pretends to be the employee at another company—and uses that false LinkedIn identity to perpetrate social engineering exploits against your people.
With a false LinkedIn identity, adversaries can readily create malicious trust relationships with targeted victims at your company, a tactic somewhat similar to spearphishing. With a fake LinkedIn account, a fraudster can get your employees to reveal their private email addresses, share their CVs, and unwittingly expose other sensitive information. This information can then be used as ammunition for a subsequent attack.
A phone number, for example, can enable an attack technique called “vishing”—which is when the attacker makes a phone call or leaves a voice message purporting to be someone else. For example, an attacker can pretend to be Mike from the Service Desk and trick someone at your company into clicking a malicious link or resetting their password to a temporary one provided by the attacker.
Meet “Megan”
I use this technique all the time when performing social engineering engagements within the Secureworks® Adversary Group (SwAG). One of my fake identities is Megan, a talent acquisition specialist at a reputable firm. Megan regularly posts appropriate content on LinkedIn, so her account looks legit. I’ve also managed to get Megan 2,000 LinkedIn connections, so she absolutely looks like someone you’d want to know.
Megan loves to connect with new people and spark conversations about her open jobs for Fortune 500 companies. All of the jobs she discusses are remote—so she can dangle them in front of anyone anywhere—and they all offer above-market salaries. And your profile is a perfect match for one of her jobs! Are you interested? You bet you are!
There’s not enough room here to share with you all the compromising information I’ve gotten by pretending to be Megan. But let’s just say that if I really was a malicious fraudster, I’d be very rich. I’d also probably be on the run from law enforcement—but it would be really, really tough to ever track me down.
What should you do?
Here are a few ways you can protect yourself from LinkedIn-related fraud:
- Regularly search your company’s name to see if anyone is pretending to be an employee of your company. If you catch a fraudster, contact LinkedIn and law enforcement.
- Avoid revealing sensitive information to anyone directly over LinkedIn. Move the conversation over to another channel. And try to get independent verification that the person you’re communicating with really is who they claim to be.
- Spread the information in this blog to others in your organization and beyond. Anyone you know can be a vector to someone else. After all, the more people who practice safe LinkedInning, the better.
Finally, I encourage you to get engaged with SwAG. This blog covers just one of the countless ways we test the security posture of our customers to ensure their employees are aware of social engineering techniques used by the bad guys. Adversary simulation should be a core component of every organization’s cybersecurity strategy. After all, how can you know how good your defenses are if you never let a skilled attacker have a run at them?
Originally published on the Secureworks blog, by Ben Jacob, March 3, 2022