No doubt you've received a LinkedIn invition from someone you don't know -- or you're not sure you know. Next time, you might want to think a little harder before accepting.
Researchers from Dell SecureWorks Counter Threat Unit have identified a network of at least 25 well-developed LinkedIn profiles as part of a targeted social engineering campaign against individuals in the Middle East, North Africa, and South Asia. The fake profiles were linked to 204 legitimate profiles belonging to individuals working in defense, telecommunications, government, and utility sectors. A quarter of the victims worked in the telecommunications sector in the Middle East and North Africa. Fortunately, the fake profiles have already been removed from LinkedIn.
The fake network was created to help attackers target victims via social engineering. The group likely relied on the fact that people tend to trust people within their personal network and would be more likely to fall for a spear phishing email if it appeared to come from a fellow member. The victims would also be more likely to visit a website if a member of their network suggested it.
The network had eight leader profiles, with full (fake, of course) educational histories and detailed information about current and previous jobs. The remaining profiles form a supporting network for the six leaders to make the network seem legitimate. The profiles claimed to belong to employees at companies at major organizations, including defense contractor Northrop Grumman, technology firm TeleDyne, Malaysia's RHB Bank, and South Korean holding firm Doosan. Five of the leader personas claimed to be recruiters for Teledyne, Doosan, and Airbus, and the other three claimed to work for Doosan and Petrochemical Industries.
Dell SecureWorks was able to identify the profiles as being fake based on specific factors. For one, the supporter profiles weren't very well developed, as they all had just five connections and a simple description for one job. Some of the profile photos were found "elsewhere on the Internet associated with different, seemingly legitimate, identities," Dell SecureWorks said. One of the leader profiles appeared on several adult sites, for example. Several of the leader profiles also had text from genuine job advertisements copied into the job description fields.
Attackers have long used social networking as part of their reconnaissance activities. They cull personal information posted on these sites to craft targeted attacks that have a higher chance of succeeding. The fake LinkedIn profiles "significantly increase" the likelihood of these social engineering attacks paying off, researchers said.
SecureWorks listed the fake names and descriptions associated with the profiles in their report. If requests arrive from individuals with the same name, try to verify outside of LinkedIn the person is legitimate before accepting requests.
The fake profiles claimed to be recruiters, so as far as the victims were concerned, it made sense that these "people" were reaching out unsolicited. Even so, Dell SecureWorks recommended first trying to verify the person is legitimate by contacting the employer directly.
Attackers could establish a direct relationship with the victim by sending a connection request from the fake network. They could also try linking one of the target's connections. "It may be easier to establish a direct relationship if one of the fake personas is already in the target's LinkedIn network," the researchers said.
Users should "adopt a position of sensible caution" when engaging with unknown individuals who claim to have mutual connections. Just because that person is in a colleague's or friend's network doesn't mean the person is trusted. Verify outside of LinkedIn who the person is before divulging information.
Several of these profiles have as many as 500 connections, indicating the group had developed deep networks with victims and had access to a lot of shared information. Once the victim accepts the LinkedIn request, they are more likely to share personal information when asked, because the person is no longer a stranger, but a connection.
"The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas," the researchers said.
The attackers in this campaign focused on the mobile telecoms sector in the Middle East/North Africa region, with the majority of the victims based in Saudi Arabia, Qatar, and the United Arab Emirates. It's possible the attackers were interested in just stealing data, such as subscriber and billing information for cyber-espionage purposes, or perhaps they were trying to access the telephony networks to intercept communications.
The geographic location of the victims and the industries they work in "fall in line with the expected targeting behavior of a threat group operating out of Iran," researchers said. The fact that some of the fake profiles referenced aerospace companies may be a sign the attackers are shifting their focus to that industry next.
LinkedIn makes it easier to accept invitations to connect with others than to "archive" connection requests. Next time, before you click the Accept button, make sure you know the person behind the profile.