Leveraging the human factor via social media to launch cyberattacks is a tried-and-true method, and one that will be with us for many more years to come.
The recent LinkedIn attacks, where malicious actors used fake profiles linked to hostile states to target employees in key industries and government departments in the United Kingdom, demonstrate how those tactics continue to evolve.
With more of these attacks likely in the future – particularly on social media sites oriented towards working professionals – organizations need to ensure they provide timely education to their employees and, at the same time, prepare for when the attacks are successful.
“LinkedIn pitches itself as the modern way to build your professional network,” said Oliver Tavakoli, CTO at Vectra. “The value of that network comes down to the quality of connections, rather than their quantity.”
The use of LinkedIn blurs the boundary between professional networking and personal career development, he pointed out.
For individuals like sales and marketing professionals or recruiters who are using LinkedIn for work purposes, employers should remind them that trust is not transitive – second-level connections are basically unknown individuals – and that all information on LinkedIn – no matter how professional it looks – can be completely fake.
Tavakoli said that means when a stranger approaches you via LinkedIn, you should consider it just as skeptically as an approach by a stranger on your phone or by email.
“The mere fact that they have a connection to someone you know simply means they might have duped that individual into accepting a connection,” he said. “So, short of an introduction by that common contact, consider such second-level connections with as much suspicion as an unsolicited email arriving in your inbox.”
Avoid LinkedIn Scams
In order to avoid falling for LinkedIn scams, Tavakoli said it’s helpful to simply imagine the same message arriving via email in your work inbox.
“Apply the same training that you have received for identifying phishing scams,” he said. “Only accept connections from people you have met or ones who have been formally introduced to you.”
John Morgan, CEO at Confluera, a provider of cloud cybersecurity detection and response, said for employees using LinkedIn’s platform for their day-to-day operations, details of how such an attack can play out can help employees identify possible scams early, before a breach can occur.
He said multi-factor authentication has become common security practice for identity verification, and employees should exercise similar precautions, albeit manually, when interacting with other LinkedIn users.
“Don’t take their word for it that they are who they say they are,” Morgan said. “Instead, ask for verification via email or other communication methods that can independently verify their identity.”
He pointed out that before the pandemic, it was common to meet colleagues, partners and prospects during an in-person meeting and, afterwards, send a LinkedIn request.
However, with the entire workforce working from home, such etiquette has all but disappeared.
“It has become the norm to leverage platforms such as LinkedIn as the first, and sometimes the primary, way to meet others,” Morgan said. “We are all putting a lot of trust in such platforms, which make the recent threats that much more impactful.”
Hank Schless, senior manager of security solutions at Lookout, said employees also need to be made aware that they may be targeted through personal channels.
“They have plenty of information on LinkedIn profiles that make it easy to personalize messages as part of a social engineering campaign,” he said. “Overall, it’s much easier for an attacker to quickly build credibility with a target than it used to be.”
Schless said it’s natural to be less cautious on social media platforms and third-party messaging apps, where people freely contact each other all the time. Attackers know this, and use it to their advantage.
Rise of Malicious Profiles
Tavakoli warned it’s likely that the threat of these malicious profiles will continue to develop and become more customized and complete.
Broader application of automation (including AI) to aid in the crafting of profiles specific to a particular target – making them believable from the target’s perspective rather than standing up to more general scrutiny – will be the next step.
Schless agreed, underscoring the fact that these types of profiles will continue to get more complex every day.
“Not only are the malicious actors behind them figuring out better tactics to convince victims that they’re legitimate, but they’re being used to deliver malicious payloads to targets,” he said.
In this particular case, a likely tactic would be for the actor to send a document they claim to be a descriptor of a speaking or employment opportunity, and it’s easy for these attachments to be laced with malicious payloads. Tavakoli argues LinkedIn should itself undertake efforts to find and delete fake profiles, noting Twitter and Facebook already have significant efforts going on this front.
“LinkedIn should make it far easier for organizations to flag incorrect claims in fake profiles of having worked at a particular organization and to quickly correct such inaccuracies,” he said. “On the end user front, there is no real substitute for education – teaching skepticism and not falling for the transitive effect of trust.”