I’ve never been a fan of social media. There’s something very unnerving to me about putting personal or private information about yourself online for anyone to see. Don’t try to tell me that you can adjust who sees your content with security settings; I don’t believe for a minute that privacy settings actually keep your information private among a small group of approved friends or colleagues.
Now comes the news that LinkedIn is suing a group of unknown persons (“John Does, 1 through 10”) who allegedly have used automated software to create thousands of fake LinkedIn profiles. These defendants are using the fraudulent member accounts to extract and copy legitimate members’ profile information. In other words, bots have infiltrated LinkedIn and they are screen-scraping the information posted by you and me.
According to an article on ZDNet, the concern is that the abuse of private data by the John Does may be undermining a LinkedIn for-fee service that is heavily utilized by recruiters and companies to find job recruits via the LinkedIn social network. The article states:
LinkedIn is suing under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) and the California Penal Code as it believes that these bots are undermining its integrity as a platform.
LinkedIn has invested "significantly" in its Recruiter product, and it believes that it has needed to expend significant time and resources to "investigate and respond to this misconduct".
The LinkedIn Recruiter product is a paid-for service that enables head hunters and corporate recruiters to discover candidates. This service is paid for by over 16,000 companies.
It makes sense that LinkedIn is doing what it needs to do in order to protect its own business and revenue. But what about the 259 million LinkedIn users who are susceptible to having their information gathered and potentially used for social engineering attacks? I don’t hear anyone talking about that possibility, but that’s the first thing that comes to my mind. Social engineering is the hack that requires knowledge of people, not code. It’s entirely possible that these bots are gathering sufficient information to launch phishing attacks against LinkedIn users.
Phishing emails account for 47% of social engineering attacks targeting businesses. According to the 2013 Verizon Data Breach Investigations Report, 29% of the attacks referenced by Verizon could be traced back to social tactics, including phishing emails and phone calls where the attacker used personal information to gain someone’s confidence. In the case of a phishing email, the targeted person would open an attachment or click on a link that would lead to malware being dropped on their machine.
Dimensional Research and Check Point Software put out a report in September 2011 about social engineering attacks. The report says the top 3 reasons that are believed to be the leading motivations for attacks are:
- For financial gain
- To gain access to proprietary information
- To gain a competitive advantage
Of course, those motivations all appear to be closely linked. If someone can gain access to proprietary information, presumably they can sell it for financial gain or use it to create a competitive advantage.
A survey tied to this report shows that 32% of all respondents (N=322) believe their organizations had at least 25 or more social engineering attacks in the previous 2 years. Filtering out the smaller organizations and looking only at companies with 5,000 or more employees, the percentage of organizations experiencing social engineering attacks jumps to 48%. In fact, one-third of all large organizations believe they’ve experienced social engineering attacks at least 50 times in the 2 years prior to the report.
Given the high success rate of attackers gaining entry to an organization through social engineering, and the revelation that unknown persons are using bots to grab all the information they can from LinkedIn, I predict that we’ll be seeing a new wave of attacks that have their roots in exploiting personal information about people in a targeted organization. According to the Dimensional Research report, the people at highest risk of exploitation are new employees and contractors who are not familiar with corporate security policies, and executive assistants who have access to executive calendars and email and to confidential information.
What can your organization do to reduce the likelihood of exploits via social engineering? Here are a couple of recommendations.
- In your corporate security policy, limit the use of social media sites at work to legitimate business use only. For example, you probably have plenty of employees that bring up Facebook once or twice during the day just to check in with friends. Aside from being a time-waster, this can present a security risk as well. Legitimate business use would include the marketing people who run Facebook-based campaigns for your company.
- Stress to employees to limit the amount of information they post about themselves and your company on sites like LinkedIn. For example, they shouldn’t go into detail about specific projects or positions because this could reveal tempting information that a hacker could exploit. Teach them to be cautious about who they accept in their friend network. I know this is the antithesis of “social” networking, but it’s the equivalent of the childhood admonition, “Don’t talk to strangers.”
- Educate employees and contractors about phishing and other attacks that use social engineering. Companies like Wombat Security Technologies, Phishme and Phishline offer training programs that can teach your workers how to spot and avoid a phish email. Be sure to test the veracity of your training so you know if it’s working.
- Use software or a service that scans email links and attachments before they are presented to recipients to open. Prevent workers from opening the dangerous malware-packing links and files in the first place.
It’s human nature to want to trust people, but it’s also a dangerous digital world out there. Everyone has to learn to be a bit skeptical of the phone calls, emails and files that come to them—especially if they are unsolicited or unexpected.