A number of fake LinkedIn accounts have been used to target security researchers, F-Secure’s Sean Sullivan wrote this week.
The accounts all claim to be recruiters for security jobs and all worked at the same fictitious company; they sent requests to connect to many security researchers. About two weeks after they were created, the accounts disappeared from the site.
I read this story with interest, as I myself had ‘fallen’ for one of these accounts. I put the inverted commas there deliberately, as I would fall for the scam again next time.
The bar for me accepting a LinkedIn connection request is very low: if I think I know you, or if it looks like you work in the same industry, I accept your request. I treat LinkedIn the same as I treat Twitter, Facebook or my blog: I assume everything I write there to be public, even if some of it may be only visible to a select group of people.
LinkedIn doesn’t provide me with a way to authenticate those that ask to be connected, so restricting connections to those I know would provide me with a rather worrying false sense of security.
In some cases, I may have a second channel to verify the authenticity of the request, but that is often cumbersome and doesn’t always work. And even if I could be sure my contacts were who they claimed to be, I still would be unlikely to use a third-party system like LinkedIn to share sensitive information.
Other people have pointed out that this was probably an experiment by security researchers who may present the results on social engineering security researchers at some conference.
They wouldn’t be the first ones to do so: Sabina Datcu presented similar kind of research at three successive Virus Bulletin conferences in 2011 to 2013, though she did go a step further and engaged in conversations with the targets and managed to get hold of some information that seemed at least mildly sensitive. I have seen no evidence that this happened here.
No one is immune to social engineering attacks and it would be a big mistake to assume you are. For me personally, I hope that years of working in security has put the bar high enough to make such attacks not worth the effort.
I can never be sure though. After all, because I work in security, my threat model includes other security researchers who can afford to spend quite a bit of time, just to get an exciting conference presentation.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
9 comments on “‘Why I fell victim to a LinkedIn scam – and why I would do so again tomorrow’”
I did a bit of research on this a few days ago.
The text on the "Talent Src" website is largely taken from a legitimate company Via Resource (www.viaresource.com) which also deals with recruits IT Security professionals. So, either this is a front for Via Resource or they've had their copy ripped off. I've made enquiries several with Via Resource several times on Twitter and have had no response, I will assume that continuing silence implies complicity.
If it *is* Via Resource, then I guess they may simply be trying to find potential candidates without tipping anyone off as to who they actually are.
One other oddity is that NONE of the photos for ANY of their "employees" on LinkedIn turn up on a reverse image search, indicating that perhaps the photos have been taken just for this exercise. Almost none of the "employees" are on Facebook, except for one single possible match for a female living in France who may be the same person (the photo and location listed are similar, no smoking gun).
So, the whole thing does look a bit phishy, but it is always possible that this is simply a slightly suspect methodology of a legitimate firm. It will be interesting to see if Via Resource ever make a response to my enquiries.
Somebody suggested flipping the images of some of these employees and then doing a reverse image search.. and now there are definitely matches with different names. I'm surprised that it's so easy to fool these things. But given the utter fakeness of the profiles, it certainly does look seedy.
Will Via Resource give a response? I would be really interested to know..
"No one is immune to social engineering attacks and it would be a big mistake to assume you are."
This is a rather important point that too many will refuse to acknowledge if they can even admit it to themselves. Kids are especially prone to this because they mostly feel they have impunity (for their actions) and are absolute invincible (and many have been killed because of this belief). Reality is very different, of course – they don't have impunity and they aren't invincible; they can and will get hurt at some point(s) in their life, in some way or another.
"For me personally, I hope that years of working in security has put the bar high enough to make such attacks not worth the effort."
I think you know this but it would depend on what they're trying to accomplish, and what they're trying to get out of you (even if that is get someone else through you). A perfectly timed attempt with the correct message could fool anyone, even if they are expecting something (and expecting something might be that you're expecting a message/something from someone, and someone knows it but you don't know that they've already taken out those who might otherwise ruin their plan). The best for anyone to do is to constantly be on guard and always be observant and aware of the situations.
 Of course, if someone is expecting problems so much that it makes them think everything is in fact harm, they're probably going too far. That is quite unlikely but in the right – which is to say the wrong – mindset, it could happen.
This likely happens in any industry and the number one way to bust them is to do a reverse image search on tineye and Google.
I once found an account image to be using a cropped pic from a porn site. Reversing the image lead to over 30 different webpages where the picture was posted unedited.
The next is to use your own domain email.When you use a free email such a gmail or yahoo, you can't see header content. In my own domain email I have complete header information.
The resason is simple: the connection requester's email used to create and access their account is embedded into the email.
A number of those emails belonging to fake accounts have names and words connecting them to a foreign country such as Russia and India.
All you can really do is report them and delete them.
*the email header.
Uhm, Yahoo! Mail can display the full headers of the message just fine – and I suspect that GMail can too.
The usual security non-story… Oh look you uber security guys (in plural term) connected to fake profiles.. They can harvest your connections..
Um… So what?
Any decent security person will have loads of unknown and/or fake connections.
We know who we know but how will you? Separately connect to me and one of my fakes and now your outted as harvester..
You most certainly can see the full headers – if you know how to. But full headers isn't always enough – and this is especially true if you're an average user (below).
"The resason is simple: the connection requester's email used to create and access their account is embedded into the email. "
That's not always the case and there are also false positives (and false negatives) in headers, filtering and even interpretation by the recipient.
And as for the headers: Let's say that you're above average; in fact, let's say you're also somewhat familiar with the RFCs and the more recent standards (SPF for instance). There are the following points (of others):
– You can spoof mail headers, including adding your own (that unless it is filtered by any of the mail servers, will go through)
– Some mail servers deliberately have things configured wrong (allowing different abuses, and I'm not referring only to open relays).
– Different mail clients add different headers
– Not everything you see is necessarily true (this isn't even considering abuses like subdomains – and yes it confuses many people – similar names even if by one character difference or characters that look very similar to each other)
– If you don't also know about other aspects of mail (DNS PTR/MX/A/AAAA RRs for instance), then you have less ability to really understand it all (and DNS is only one example).
Standards as far as headers are concerned, aren't really as standard as you'd like, for the above reasons. The fact is, the way email works allows for abuse, and that is all there is to it.
Then there is another issue with running your own mail server (which isn't the same as having your own domain mail!):
If you run your own mail server you can control a lot more, true, but then using your own mail server (rather email addresses on one of your own domains) for some types of accounts borders on carelessness for getting yourself on spam lists. If nothing else it is risky because you can't control how they secure their network.
So no, running your own mail servers (referring to primary, backup, etc.) / having your own domain really doesn't help.
Apologies for the delayed reply, I am a Director of Via resource. We have specialised in Information Security Recruitment for over 7 years. Earlier this year we noticed a huge growth in young female recruiter profiles from a variety of agencies we had never heard of. We knew something was up and reported this directly to Linked in. Linked in had no interest in pursuing.
I was unaware that our content had been copied, I have tried to locate this Talent Src site but not been abel to track it down. If you could provide me some more detail it would be appreciated as I am keen to clear this up.
However just for the record.
Via Resource are a specialist Information Security Recruitment business.
We are one of the leading recruiters in information secruity
We operate to the highest standards and would never be involved with any underhand data gathering techniques or scams.
Via Resource notified Linked in of fake recruiters and they have chosen not to take action.
All help appreciated to track down these people and remove our content. Be keen to also understand why they are doing this.