OTPs as Second Factor
How hackers use LinkedIn to launch attacks
Imagine you want to get your hands on some information about a person in a professional context. What would you do first? Create a profile on LinkedIn perhaps? But it is pretty unlikely that you would use your real name; you would opt to set up a fake profile instead. Hence, several questions may arise: What name would you choose? What would be your gender? And your career path?
Social change and progressive ideas notwithstanding, certain prejudices may persist for a reason. As a test, we created two identical profiles, using the same age, work experience, training and education and interests for both. The only differences were the picture, name and gender. To take advantage of LinkedIn’s full search functionality, you need at least 10 contacts. For this reason, we sent contact requests to various people in the person’s purported career network.
The male profile was able to add a total of 13 contacts in four hours and was already blocked to some extent, only contact requests with email verification were still allowed. Apparently too many recipients had flagged our test profile as unknown. The female profile led to a different outcome: within five minutes, it had already added more than 13 contacts and, by the end of the test, it had even passed the 300 mark. Unknown professional contacts sent direct messages thanking the virtual person for reaching out and offered their professional assistance if needed. Additionally our profile started to appear in search results.
What does your profile benefit from when having multiple contacts? As the total number of contacts increases, a profile is more likely to be seen as authentic and gains credibility. Hence, it will not be questioned as much anymore. Possibly you would be less skeptical of a request with 14 shared contacts, as you may have met the person in the hallway, during a workshop or it might have been a fleeting acquaintance. Having a large number of contacts in your network is a major advantage, as various second or third-degree connections will be displayed with more detailed information. As a result, attackers are able to gather information about you without being directly connected. Particularly for the purpose of company-related social engineering, each name and employee is highly valuable, as they give leads to who makes up a team and they help identifying potential victims. Furthermore, various OSINT tools enable attackers further to single out certain key individuals.
However, carrying out all those searches and creating an Excel sheet of all employees is a lot of effort and who would bother with that? Almost no-one, but it does not matter, because there are a lot of open-source tools to perform these tasks for you. The tool ScrapedIn, for example, takes just seconds to generate an automatic Excel report containing the desired LinkedIn details, such as name, position, location and other details on the search query.
The more information a profile discloses, the bigger the attack surface. Profiles contain plenty of information that an attacker may collect and exploit for their own ends. A person’s educational background can often be especially useful for obtaining private information about them. Employees in leadership roles are generally expected to meet high requirements, with a university degree being a must-have for many employers.
The year of graduation can help an attacker to track down the employee’s master’s thesis or dissertation. ETH Zurich offers its own search feature , precisely for this purpose. The work might include sensitive personal information, such as the author’s full name, date of birth and nationality. In the best-case scenario, the acknowledgements will be publicly available. In addition to professors and fellow students, the authors often express their gratitude to people close to them, offering the attacker more potential victims. In the acknowledgments, the person might thank their significant other, future spouse, best friend or parents.
With Google Dorking a whole range of potentially lucrative search combinations can be tested. The information collected may be used to launch more sophisticated attacks, such as spear phishing or vishing. The more specific and believable a situation appears to be, the more willingly a person to volunteers sensitive information. Not all phishing emails are replete with mistakes and other red flags – the really good ones are not as easy to recognize.
LinkedIn has various settings that help improve the security of your profile. With very little effort, you may drop off the list of potential victims of automated scans, as your last name will be hidden, or you won’t even show up in the results generated by Google, Bing and other search engines.
Here are some settings to help you prevent social engineering attacks:
But one of the most important rules of all to follow is: never add anyone to your network unless you actually know them.
LinkedIn offers a variety of career benefits. Simply having an account is not a risk as long as the profile does not contain any business secrets or obvious infringements of others’ privacy.
An attacker may well be able to collect a lot of information about you, but you still have to actually click on the link in a phishing email. However, attackers with many pieces of information may be more convincing and disguise their attack better. This is why we recommend only making information public when necessary and using the most restrictive settings possible. Most importantly, remind yourself to take your time making decisions and to maintain a healthy level of skepticism and caution, this often promises more happy endings than your account security settings.
Let our Red Team conduct a professional social engineering test!
Our experts will get in contact with you!
Further articles available here