A number of fake LinkedIn accounts have been used to target security researchers, F-Secure’s Sean Sullivan wrote this week.
The accounts all claim to be recruiters for security jobs and all worked at the same fictitious company; they sent requests to connect to many security researchers. About two weeks after they were created, the accounts disappeared from the site.
I read this story with interest, as I myself had ‘fallen’ for one of these accounts. I put the inverted commas there deliberately, as I would fall for the scam again next time.
The bar for me accepting a LinkedIn connection request is very low: if I think I know you, or if it looks like you work in the same industry, I accept your request. I treat LinkedIn the same as I treat Twitter, Facebook or my blog: I assume everything I write there to be public, even if some of it may be only visible to a select group of people.
LinkedIn doesn’t provide me with a way to authenticate those that ask to be connected, so restricting connections to those I know would provide me with a rather worrying false sense of security.
In some cases, I may have a second channel to verify the authenticity of the request, but that is often cumbersome and doesn’t always work. And even if I could be sure my contacts were who they claimed to be, I still would be unlikely to use a third-party system like LinkedIn to share sensitive information.
They wouldn’t be the first ones to do so: Sabina Datcu presented similar kind of research at three successive Virus Bulletin conferences in 2011 to 2013, though she did go a step further and engaged in conversations with the targets and managed to get hold of some information that seemed at least mildly sensitive. I have seen no evidence that this happened here.
No one is immune to social engineering attacks and it would be a big mistake to assume you are. For me personally, I hope that years of working in security has put the bar high enough to make such attacks not worth the effort.
I can never be sure though. After all, because I work in security, my threat model includes other security researchers who can afford to spend quite a bit of time, just to get an exciting conference presentation.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.