Fake LinkedIn profiles lure unsuspecting users

Hackers create fictional people on LinkedIn to engage in industrial espionage and social engineering attacks

No doubt you've received a LinkedIn invition from someone you don't know -- or you're not sure you know. Next time, you might want to think a little harder before accepting.

Researchers from Dell SecureWorks Counter Threat Unit have identified a network of at least 25 well-developed LinkedIn profiles as part of a targeted social engineering campaign against individuals in the Middle East, North Africa, and South Asia. The fake profiles were linked to 204 legitimate profiles belonging to individuals working in defense, telecommunications, government, and utility sectors. A quarter of the victims worked in the telecommunications sector in the Middle East and North Africa. Fortunately, the fake profiles have already been removed from LinkedIn.

The fake network was created to help attackers target victims via social engineering. The group likely relied on the fact that people tend to trust people within their personal network and would be more likely to fall for a spear phishing email if it appeared to come from a fellow member. The victims would also be more likely to visit a website if a member of their network suggested it.

The network had eight leader profiles, with full (fake, of course) educational histories and detailed information about current and previous jobs. The remaining profiles form a supporting network for the six leaders to make the network seem legitimate. The profiles claimed to belong to employees at companies at major organizations, including defense contractor Northrop Grumman, technology firm TeleDyne, Malaysia's RHB Bank, and South Korean holding firm Doosan. Five of the leader personas claimed to be recruiters for Teledyne, Doosan, and Airbus, and the other three claimed to work for Doosan and Petrochemical Industries.

Dell SecureWorks was able to identify the profiles as being fake based on specific factors. For one, the supporter profiles weren't very well developed, as they all had just five connections and a simple description for one job. Some of the profile photos were found "elsewhere on the Internet associated with different, seemingly legitimate, identities," Dell SecureWorks said. One of the leader profiles appeared on several adult sites, for example. Several of the leader profiles also had text from genuine job advertisements copied into the job description fields.

Attackers have long used social networking as part of their reconnaissance activities. They cull personal information posted on these sites to craft targeted attacks that have a higher chance of succeeding. The fake LinkedIn profiles "significantly increase" the likelihood of these social engineering attacks paying off, researchers said.

SecureWorks listed the fake names and descriptions associated with the profiles in their report. If requests arrive from individuals with the same name, try to verify outside of LinkedIn the person is legitimate before accepting requests.

The fake profiles claimed to be recruiters, so as far as the victims were concerned, it made sense that these "people" were reaching out unsolicited. Even so, Dell SecureWorks recommended first trying to verify the person is legitimate by contacting the employer directly.

Attackers could establish a direct relationship with the victim by sending a connection request from the fake network. They could also try linking one of the target's connections. "It may be easier to establish a direct relationship if one of the fake personas is already in the target's LinkedIn network," the researchers said.

Users should "adopt a position of sensible caution" when engaging with unknown individuals who claim to have mutual connections. Just because that person is in a colleague's or friend's network doesn't mean the person is trusted. Verify outside of LinkedIn who the person is before divulging information.

Several of these profiles have as many as 500 connections, indicating the group had developed deep networks with victims and had access to a lot of shared information. Once the victim accepts the LinkedIn request, they are more likely to share personal information when asked, because the person is no longer a stranger, but a connection.

"The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas," the researchers said.

The attackers in this campaign focused on the mobile telecoms sector in the Middle East/North Africa region, with the majority of the victims based in Saudi Arabia, Qatar, and the United Arab Emirates. It's possible the attackers were interested in just stealing data, such as subscriber and billing information for cyber-espionage purposes, or perhaps they were trying to access the telephony networks to intercept communications.

The geographic location of the victims and the industries they work in "fall in line with the expected targeting behavior of a threat group operating out of Iran," researchers said. The fact that some of the fake profiles referenced aerospace companies may be a sign the attackers are shifting their focus to that industry next. 

LinkedIn makes it easier to accept invitations to connect with others than to "archive" connection requests. Next time, before you click the Accept button, make sure you know the person behind the profile.

Join the CSO newsletter!

Error: Please check your email address.

More about DellNorthrop GrummanSecureWorksTeledyne

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place