Hackers Are Using LinkedIn to Tailor their Phishing Attacks Just for You
Beware of who you accept LinkedIn requests from.
Note: This article, which was originally published in 2017, has been updated to include related news & media resources.
Hackers have begun using LinkedIn, the popular social network for business professionals, to create better phishing attacks. Already, one breach – at Vevo – has been attributed to the practice.
According to a report by USA Today:
Cybersecurity firms say criminals have figured out how to subvert the network by posing as authentic, boring, cubicle-office dwellers.
They’re also posing as exotic looking female photographers and high-level executives that don’t actually have LinkedIn profiles.
It starts with a simple request to connect. LinkedIn is all about connections and networking and given the generally constructive nature of the network—people tend to be a little more trusting.
That’s apparently a mistake.
And that’s honestly the saddest part about this. There is an unfortunate cycle of life on the internet, people forget before Facebook was awash with fake news and catfish accounts that it was a social network for American college students. My high school girlfriend met and picked her roommate for her freshman year at Georgetown on Facebook. Nowadays that could get you killed.
My point is, here is yet another place on the internet where the good faith is gone. For your own safety it’s best to best skeptical of every new request, be mindful of any information you disclose and to whom. It’s just sad.
The most common way hackers are exploiting LinkedIn is to enhance their phishing attacks. This is called spearphishing. It’s a practice where hackers socially engineer a believable touchpoint – usually an email – that it will convince a person to take the desired action. A lot of the time the target isn’t the person being phished, but rather where that person works. That individual’s computer or credentials could serve as an access point to a larger network.
When you think about it, what better place to grab the details to create the perfect email to phish someone at work than their LinkedIn profile? You can find email addresses, work histories, connections. It’s a bounty of details.
And then there’s a couple of other more niche ways that LinkedIn has been exploited as well.
One is just a take on the Facebook play of creating a fake profile and playing the long game. This is relatively low stakes and can pay off big time even with a low ratio of success.
The other is to create profiles for people that don’t have them. Another Facebook play, but one made more effective by the fact that the hackers can typically use Wikipedia pages to convincingly pose as high-level executives in big companies.
The bottom line is that you need to start being more careful on LinkedIn.
If you get a request from someone you don’t know, check and see if you have any mutual connections. Be guarded. And be careful what you put in writing.
Above all, use common sense.
Recent Related News
Updated on March 24, 2021
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown