Bad business: LinkedIn criminals get connected

By | January 11, 2012

Posted in: Network Security Trends

We have been down this road before. A popular interactive service passes over a peak on its way to universality and the spammers pile on. Sometimes the service fails — remember network news? Sometimes it recovers — think email. Sometimes, there is a constant battle to keep spam down, as in SMS spam in Japan. LinkedIn is a target for malicious players. The demographics are perfect: older professionals that like to connect. You can tell that LinkedIn has recognized the issue because they are taking steps to curtail it; perhaps not enough steps but they are keeping it in check.

I ran a short survey on LinkedIn, where I posed the question:

“How many LinkedIn requests from scammers do you get a day?”

One third of the respondents reported multiple such requests, two thirds: none. So perhaps this indicates just how well LinkedIn is doing. Or perhaps the attacks are highly targeted. Maybe I am a desirable target? I know I get these requests every day.

Here are the LinkedIn Profiles of some recent profiles that I found suspicious:

A posting from a hacker dubbed skraps provides details of how he uses LinkedIn to perform reconnaissance on employees of HostGator. He created a fake profile for Brian Johnston, claiming to work at HostGator, and proceeded to connect to real employees. As they accept his invitation, he learns their email address format and uses that to connect to more HostGator employees on LinkedIn. Then he starts sending email with spoofed “from” addresses as if they originated within the company. After that, he is pretty likely to be able to infect someone with malware and begin his hacking.

His LinkedIn ID is 160,515,676 — very recently created.

Here are the red flags that can tip you off to these scammers:

  1. You don’t know the person. This is the first tip. There is always the possibility that someone you do know has had their account compromised, but for now, I usually assume that would have been reported; not a completely safe assumption considering the number of times accounts are compromised on Twitter and Facebook.

  2. They have no other connections. Come on, someone in India or Sri Lanka just got on LinkedIn and they picked you as their FIRST connection?? Not likely. Hit Ignore and then "report as spam."

  3. Sparse profile. If someone is requesting a connection you would expect them to provide enough info in their profile for you to decide if you wanted to connect. If they have no picture, only one or two jobs, and little else. Ignore.

  4. They belong to more Groups than they have connections. Most group managers accept anybody. This is bad, because LinkedIn uses group membership as a gateway to making connections. If you don't have someone's email, just join one of their groups. Then you can choose that group when attempting to connect. Spammers have this figured out. (To group managers: LinkedIn even gives you an alert if a requester has one or zero connections. Don't let them in! You don't need the increased group stats that much).

  5. Look at their LinkedIn ID. Every spammer I have identified has a newly created account. Today, that means their LinkedIn ID is above 140,000,000. You can see it in the URL of their profile. Mine, for instance, is (Yes, LinkedIn uses sequential userIDs - a no no.)

  6. Beware the pretty face! Just as in Twitter, spammers have figured out the male weakness. Look beyond the face and question the profile. Today, it is unusual to encounter someone with fewer than 120 connections. Be suspicious.

  7. Be on the lookout for targeted attacks that begin with LinkedIn requests.

Use these tips to help filter out spammers who are starting to leverage LinkedIn. With our help, LinkedIn can make it unprofitable and maybe they will move on.

You May Also Be Interested In: