A few days ago, I got a new invitation to connect with someone on LinkedIn. Usually, I recognize the person by name and photo, briefly checkout their profile for anything suspicious and finally accept the invitation. Being a vigilant information security professional, I noticed that somethings seemed weird about this particular invitation. That’s why I am writing this post.

Note: Although this post describes a situation that actually happened via the popular social network for business contacts, LinkedIn, it is very imaginable that this could also happen through other social networks. This post won’t concentrate too much on answering the question why it isn’t a good idea to fall for fake or stolen profiles (there are already some really good articles about that – checkout the links under “Further reading”), but rather describe how this situation was detected and what further steps have been and will be taken. It concludes with key takeaways which anybody can and should incorporate.

What exactly seemed weird about this contact invitation?

• I had never heard of this person before.
• I had never heard of this persons organization before.
• I had not received any message from that person – usually strangers at least say why they are reaching out in 2-3 sentences.
• Based on the industry and position that that persons is supposedly working in, I wasn’t able to figure out why I received an invitation from him.
• The person didn’t have a profile picture.

So I decided to investigate further before eventually accepting the invitation.

One thing that immediately got my attention was the fact, that this stranger had 500+ total contacts and 23 with me in common. Most of them – but not all – being my co-workers.

How could this be?

My best guesses were:

1. We hired a new guy; word hasn’t spread to me yet; he simply hasn’t updated his profile yet.
2. Some weirdo is collecting random contacts for unknowable reasons. And my colleagues don’t mind additional contacts either.
3. Somebody is planning an attack on our company (or we are already under attack) and is in the middle of gathering valuable information.

Even though guess #1 seemed very unlikely to me – I am usually informed about new employees – I decided to verify or exclude that possibility simply by asking a few of the shared contacts if they can tell me who that person is. Unsurprisingly, nobody I asked (initially 7 people) had a clue who he was.

Guess #2, at second thought, isn’t really very persuasive. To me, it shouldn’t matter what exactly the reason might be. Fact is, that a total stranger is sending contact invitations to a bunch of my colleagues and so far, nobody really knows why. In case of doubt, I rather assume the worst than the best case. After excluding guess #1, the best case can only be #2 and the worst is at least #3.

Why exactly are these kind of profiles a threat to organizations?

As mentioned before, I won’t go to deep into the specifics of this question, since much has been said and written about it already. But in a nutshell – here are the two main reasons:

• The attacker can build a list of key employees to target (e. g. for phishing mails).
• The attacker can get an overview of which technologies are being used in the targeted organization.

With this information at hand, the attacker will step into the next phase of the actual attack and try to achieve his goals (usually includes, but not limited to: data theft, extortion, “traditional” financial scam, etc.).

Social Engineering through social media isn’t a new phenomenon

In 2015, I have already read about an occurrence, where a hacker group created a network of fake LinkedIn profiles. Also, crimes involving identity theft isn’t anything really new either.

Even with this knowledge in mind, and mainstream media reporting about this – until now, this particular scheme seemed fairly abstract to me. So I wonder how aware non info-sec people are of this. I had a first hand reason to be worried about it now. Time to take care of this.

Inform your contacts

The first and most obvious step to do, is to inform your contacts who have connected with the suspicious profile. If they are aware of the fact that they have a contact in their list with ill intentions, they will most likely remove the contact. The less people that have the contact in their list, the lower is the risk that other people in their contact lists will fall for further connection attempts. You should also encourage them to report the profile, since it would be even better to deprive the attackers resources and at least obstruct one of the their methods.

Comparing online behavior to real-world behavior can be an eye-opener

Based on my experience, not everybody will immediately understand the reason for asking them to remove and report the profile. Perhaps you can explain your reasons with a story comparing this strange online-only behavior with real-life behavior.

Image you are on your way to work. In front of your companies main entrance you see a guy wearing sunglasses and a scarf – you can’t recognize who the person actually is. You walk by him and he stops you. Without you asking who he is and what he is doing, he hands you over a business card and a CV. A list of common contacts is also attached to his CV, just in case you were worried. He then requests that you also hand him over your own business card and your own CV. No word spoken afterwards – you proceed entering the building. He does that with everybody else entering the building and you observe him doing that – seems totally legit, right?!

Of course you should modify the story based on specifics of the case – instead of a scarf and sunglasses it could also be a person looking totally photoshopped, or otherwise strange looking; or leave out the part with the shared contacts; or add a one-liner, in case there was a message sent with the connection invitation… the point is that nobody would do that in the real world. They’d probably at least avoid this person and might even call the police or inform somebody in charge. So why the heck should they do the complete opposite when dealing with strangers online?

I used this story to explain my request to some of my co-workers. It worked.

Develop a policy that deals with how employees handle contacts on social media

Almost needless to say – companies should make their employees aware of this specific threat. If there is already a security awareness program in place, this topic should be added. I will certainly do this ASAP.

The next step would be to develop a policy that deals with how employees handle their social media contacts.

If you already have a security policy, social media guidelines or any other form of suitable document (netiquette, code of conduct, etc.) you could simply extend it.

In fact, the addition could even be something as simple as: “Think twice before connecting with people on social media. Only accept invitations if you really know the person or are expecting an invitation from that organization.“.

Keep. It. Simple.

As long as you are pretty sure (I don’t believe that anybody is ever 100% sure) that all employees have read it, understood it and are actually aware of the policies existence, its good. Unfortunately, there is probably no universally valid simple solution how to test if a new policy is actually being understood and internalized (if you know one, I’d be open for any ideas). So until then, my suggestion is to inform, inform and again – inform everybody.

Most major companies already have social media guidelines in place (however, I have yet to see one that deals with how to handle new connection invitations). Check out this list if you need some general inspiration on what else should be included in a proper guideline. And this article for more detailed information on the subject of matter.

Tip: Even if you are not in charge of the security awareness program or of the security policy, you should mention it to your colleagues and/or boss and at least suggest that this be addressed. As stated previously, I believe that the awareness for this specific matter is currently very, very low.

Key takeaways and additional suggestions

• Don’t accept every contact invitation blindly! Think twice before accepting invitations!
  Check if you actually know the person or at least are expecting an invitation from a member of his/her organization. If not, ask yourself what the reason for the invitation might be. Check for shared contacts and ask a trustworthy person who it is. If you still can’t come up with a sensible answer, chances are there is none – simply ignore the invitation or (if possible) report the the invitation to the platform! Here is a help page on how to report fake LinkedIn profiles.
• Don’t disclose any sensitive information through your profile!
  Imagine that you are a person trying to infiltrate your organization. Which information would you go after first? Any information that could let an attacker know (or guess) what kind of technologies are being used in your organization is useful to them. Same goes for too detailed information about specific projects or clients.
• Clean up your contacts every once in a while!
  Hand on heart – how many of your contacts have you actually contacted in the last 12 months or even longer? Who was that sales guy again? Why did I accept that invitation? … you get the point. If you have contacts who don’t post anything useful to you, with whom you have no business or personal relationship or if you simply have no clue who it actually is – just delete the contact. It won’t hurt and if you accidentally delete a legit contact, you will surely get another contact invitation to look into.
• Spread the word!
  Experience has shown that very few people are aware of the dangers of exposing sensitive information through social networks. The more people that accept ill-intended contact invitations, the higher is the chance that a coworker or other trusted contact will accept the same invitation. Therefore, a good thing to do would be to share this post! 😉
  If you are in charge of a user security awareness program in your organization make sure to mention the threats of these kind of contact invitations. Develop a policy that deals with employees social media behavior.

Further reading

• http://www.cio.com/article/2907218/security0/why-your-linkedin-profile-might-be-the-source-of-hacker-attacks.html
• http://www.tripwire.com/state-of-security/security-awareness/linkedin-the-phone-book-for-social-engineers/
• http://www.infoworld.com/article/2991532/security/fake-linkedin-profiles-lure-unsuspecting-users.html
• http://thelinkedinman.com/how-to-spot-a-fake-profile-on-linkedin/
• http://www.computerworlduk.com/security/linkedin-scams-how-spot-fake-connection-requests-3631323/
• http://www.symantec.com/connect/blogs/fake-linkedin-accounts-want-add-you-their-professional-network
• https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles
• http://arxiv.org/pdf/1511.06915.pdf
• (very extensive, but very informative and well written) https://www.linkedin.com/pulse/growing-epidemic-fake-linkedin-profiles-scott-bernstein
• (German) http://karrierebibel.de/fake-profile-auf-linkedin-gibts-immer-mehr/
• (About social media guidelines) – http://blog.hubspot.com/blog/tabid/6307/bid/29441/5-Noteworthy-Examples-of-Corporate-Social-Media-Policies.aspx
• (About social media guidelines) – https://blog.hootsuite.com/social-media-policy-for-employees