The goal of social engineering is to exploit human weaknesses. According to the Swiss Confederation’s Reporting and Analysis Center for Information Assurance (MELANI), social engineering is one of the most successful hacking methods being used today. All of us have had our own experiences with it in one way or another, whether it is a phone call from a person pretending to be a Microsoft support representative and asking us to give them our password, a PayPal phishing email (littered with spelling and grammar mistakes) or someone who simply asks us to hold the door open for them because they have supposedly forgotten their badge. Social engineering is all around us. With so much talk about big data, we are becoming increasingly aware of how much personal data and information can be collected about us. This does not necessarily have to be done passively using a person’s customer loyalty card; people often volunteer this information themselves. A LinkedIn profile is a good example. This article offers some insights into social engineering attacks and suggests some possible prevention methods.

Battle of the sexes

Imagine you want to get your hands on some information about a person in a professional context. What would you do first? Create a profile on LinkedIn perhaps? But it is pretty unlikely that you would use your real name; you would opt to set up a fake profile instead. Hence, several questions may arise: What name would you choose? What would be your gender? And your career path?

Social change and progressive ideas notwithstanding, certain prejudices may persist for a reason. As a test, we created two identical profiles, using the same age, work experience, training and education and interests for both. The only differences were the picture, name and gender. To take advantage of LinkedIn’s full search functionality, you need at least 10 contacts. For this reason, we sent contact requests to various people in the person’s purported career network.

The male profile was able to add a total of 13 contacts in four hours and was already blocked to some extent, only contact requests with email verification were still allowed. Apparently too many recipients had flagged our test profile as unknown. The female profile led to a different outcome: within five minutes, it had already added more than 13 contacts and, by the end of the test, it had even passed the 300 mark. Unknown professional contacts sent direct messages thanking the virtual person for reaching out and offered their professional assistance if needed. Additionally our profile started to appear in search results.

Identifying a company’s employees

What does your profile benefit from when having multiple contacts? As the total number of contacts increases, a profile is more likely to be seen as authentic and gains credibility. Hence, it will not be questioned as much anymore. Possibly you would be less skeptical of a request with 14 shared contacts, as you may have met the person in the hallway, during a workshop or it might have been a fleeting acquaintance. Having a large number of contacts in your network is a major advantage, as various second or third-degree connections will be displayed with more detailed information. As a result, attackers are able to gather information about you without being directly connected. Particularly for the purpose of company-related social engineering, each name and employee is highly valuable, as they give leads to who makes up a team and they help identifying potential victims. Furthermore, various OSINT tools enable attackers further to single out certain key individuals.

However, carrying out all those searches and creating an Excel sheet of all employees is a lot of effort and who would bother with that? Almost no-one, but it does not matter, because there are a lot of open-source tools to perform these tasks for you. The tool ScrapedIn, for example, takes just seconds to generate an automatic Excel report containing the desired LinkedIn details, such as name, position, location and other details on the search query.

A case of targeted information acquisition

The more information a profile discloses, the bigger the attack surface. Profiles contain plenty of information that an attacker may collect and exploit for their own ends. A person’s educational background can often be especially useful for obtaining private information about them. Employees in leadership roles are generally expected to meet high requirements, with a university degree being a must-have for many employers.

The year of graduation can help an attacker to track down the employee’s master’s thesis or dissertation. ETH Zurich offers its own search feature , precisely for this purpose. The work might include sensitive personal information, such as the author’s full name, date of birth and nationality. In the best-case scenario, the acknowledgements will be publicly available. In addition to professors and fellow students, the authors often express their gratitude to people close to them, offering the attacker more potential victims. In the acknowledgments, the person might thank their significant other, future spouse, best friend or parents.

With Google Dorking a whole range of potentially lucrative search combinations can be tested. The information collected may be used to launch more sophisticated attacks, such as spear phishing or vishing. The more specific and believable a situation appears to be, the more willingly a person to volunteers sensitive information. Not all phishing emails are replete with mistakes and other red flags – the really good ones are not as easy to recognize.

The right settings for your LinkedIn profile

LinkedIn has various settings that help improve the security of your profile. With very little effort, you may drop off the list of potential victims of automated scans, as your last name will be hidden, or you won’t even show up in the results generated by Google, Bing and other search engines.

Here are some settings to help you prevent social engineering attacks:

• Disable public visibility for your profile
• Never show your email address and do not allow your profile to be searchable by email
• Hide your contacts so that attackers cannot get their hands on any information about former or current colleagues
• Do not show your last name to people outside your network
• Do not allow your profile to be mentioned in company activities
• Do not share any information with partner services
• Do not allow other members to mention or tag you
• Review the settings affecting how LinkedIn uses your data
• Limit followers to your own contacts

But one of the most important rules of all to follow is: never add anyone to your network unless you actually know them.

Conclusion

LinkedIn offers a variety of career benefits. Simply having an account is not a risk as long as the profile does not contain any business secrets or obvious infringements of others’ privacy.

An attacker may well be able to collect a lot of information about you, but you still have to actually click on the link in a phishing email. However, attackers with many pieces of information may be more convincing and disguise their attack better. This is why we recommend only making information public when necessary and using the most restrictive settings possible. Most importantly, remind yourself to take your time making decisions and to maintain a healthy level of skepticism and caution, this often promises more happy endings than your account security settings.

About the Author

Valérie Kastner studies Business Economics with focus on Risk & Insurance at the Zurich University of Applied Sciences. After several years in underwriting and technical center for insurances, she has been working in IT security since 2018 with a focus on Web Application Security Testing and Social Engineering. (ORCID 0000-0002-9214-572X)

Links

• https://blog.mailfence.com/what-is-tailgating/
• https://github.com/dchrastil/ScrapedIn
• https://www.exploit-db.com/google-hacking-database
• https://www.linkedin.com
• https://www.linkedin.com/psettings/allow-follow
• https://www.linkedin.com/psettings/connections-visibility
• https://www.linkedin.com/psettings/data-log
• https://www.linkedin.com/psettings/data-sharing
• https://www.linkedin.com/psettings/meet-the-team
• https://www.linkedin.com/psettings/mentions
• https://www.linkedin.com/psettings/privacy/email
• https://www.linkedin.com/psettings/show-full-last-name
• https://www.linkedin.com/psettings/visibility/email
• https://www.linkedin.com/public-profile/settings
• https://www.melani.admin.ch/melani/en/home/themen/fake_support.html
• https://www.melani.admin.ch/melani/en/home/themen/phishing.html
• https://www.melani.admin.ch/melani/en/home/themen/socialengineering.html
• https://www.peerlyst.com/posts/resource-osint-tools-and-how-you-learn-how-to-use-them-guurhart
• https://www.research-collection.ethz.ch/
• https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/