LinkedIn-based intelligence gathering campaign targets the security industry

Fake job recruiters have attempted to befriend security experts on LinkedIn over the past few weeks

For the past several weeks an intelligence-gathering campaign has been using fake LinkedIn recruiter profiles to map out the professional networks of IT security experts, researchers from F-Secure have discovered.

LinkedIn can be a great tool to establish new professional relationships and discover job opportunities. However, accepting connection requests from unknown people is a double-edged sword that can put both employees and the companies they work for at risk.

There are multiple cases where attackers have used fake LinkedIn profiles to gather sensitive information about organizations and their employees. Knowing who is the manager of a particular department in a company or who is a member of the organization's IT staff can be very useful in planning targeted attacks.

In 2012, a team of security experts created a LinkedIn profile for a fake new female hire at a U.S. government agency as part of a sanctioned test. By befriending multiple employees and establishing relationships, the team raised the credibility of their fake identity and eventually gained enough information to launch a successful attack against the organization's IT security manager, who did not even have a LinkedIn or other social media account.

People tend to expose a lot of information on LinkedIn about their work environments, colleagues, the company's infrastructure and even internal projects.

An organization called the Transparency Toolkit used LinkedIn to collect over 27,000 resumes from people working in the U.S. intelligence community. By analyzing them, it uncovered new surveillance programs, secret code words, companies that help with surveillance and, of course, personal information about signals intelligence analysts.

The suspicious LinkedIn recruiting campaign that targets security researchers was first mentioned on Twitter on Aug. 18 by Yonathan Klijnsma, a threat intelligence analyst at Dutch security firm Fox-IT.

Researchers from Finnish antivirus firm F-Secure decided to look into it after some of the company's own staff were targeted. They published their findings in a blog post Thursday.

The F-Secure researchers found multiple LinkedIn accounts of people claiming to work for a company called Talent Src, or Talent Sources. The accounts, most of which were for female identities, appeared to belong to recruiters for particular security industry specialties like malware analysis, embedded security, mobile security, cryptography, automotive security or digital forensics. Two accounts were specifically hunting security executives.

Reverse image searches revealed that the logo used by Talent Src had been copied from a different organization and had the company name added to it.

The profile pictures used by the fake recruiters were also copied from Instagram or legitimate LinkedIn profiles, but had been horizontally flipped to make reverse image searching harder, the F-Secure researchers said.

At least one of the fake recruiters, using the name Jennifer White, had received endorsements from new connections for skills that she clearly did not have based on her listed work history.

Such endorsements can establish an account's credibility and make it easier for attackers to score additional connections.

A person who endorsed Jennifer White and who works at a large U.S.-based defense contractor admitted that it was "a bad habit to give out such endorsements without really knowing the other person," the F-Secure researchers said.

The people behind the fake recruiting accounts only keep the fake identities they create for about a week and then remove the profile pictures and change the names associated with the accounts.

It's not clear what their end goal is. The campaign could be part of a research project about social media risks that someone plans to disclose at a later time or could be the work of hackers looking to gather information they could use to build targeted attacks against security companies.

According to reports based on documents leaked by former U.S. National Security Agency Edward Snowden, the U.K.'s GCHQ used fake LinkedIn profiles to target network engineers from Belgian telecommunications operator Belgacom in the past.

Regardless of whether this new intelligence gathering campaign is malicious or not, the incident should serve as a reminder to employees everywhere that accepting connection requests from unknown persons on social media can be dangerous and so is detailing your existing work duties in online resumes.

Join the CSO newsletter!

Error: Please check your email address.

More about F-SecureGCHQNational Security AgencyToolkitTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place