Linkedin offers a mixture of job opportunities and social media to help you connect with people in the same industry as you. It allows us to somewhat sell ourselves and have the jobs come to us. It also allows us to store our education and job history as if you are anything like me, I always forgot the year and month when filling out job applications.
The issue with the platform is that it does require a balance between wanting a job and allowing privacy. You want to sell yourself and be noticed by employees however, you don’t want everyone knowing your life story.
Because so many of us chose to put personal information on our profiles, it becomes a goldmine for malicious parties. It’s basically free data to them. Why do all the hard work, if you have already shared your name, email, education, place of work and past employment all in one place. The more we share, the easy it becomes to target us with Phishing or social engineering attacks.
At first, this was meant to be an “experiment” to first; see how open it is and two; hopefully educate people on the risks of just clicking accept. It somewhat changed quite earlier on but I will keep the story flowing.
I often feel like Linkedin has this fake security blanket around it and people deem it a safe place. Don’t get me wrong, it might be all nice and safe however you don’t often hear in the news about the 33 million fake accounts. How true the figure is questionable but I imagine it is high.
I was blinded myself to some of the security controls I thought were in place. Mainly around privacy.
The first thing I did was setup a profile.
Out of curiosity, I used a disposable email address to see if it would work. This is something an attacker would most likely do. I looked in Purple-Pages and used one of the listed services… Shameless plug.
I was surprised to see it pass to be honest. I saw the confirmation email come through and got past the first hurdle.
Now I needed a picture to seem genuine. Luckily sites like Unsplash exist so I can freely and legally use someone elses face.
Because Linkedin is for Jobs, we have become used to those messages that fill your inbox saying “let me find you a job” or “here is a job”.
It’s a perfect way in and that’s why I became a recruiter.
Sales or Job finders are often outgoing in nature so I need a professional yet not too formal photo.
It’s also a benefit that there is no eye contact. Humans seem less threatening when they don’t give eye contact and you are more likely too see them as harmless. Basically “fake confidence” and is something hacker use during social engineering attacks. I find the whole social engineering side of hacking so fascinating!
Here I am….
First thing I did is hide my email because that is a massive giveaway. You just need to go here and hide it.
I then filled my profile with a bunch of fake information. Adding a few basic jobs no one would question such as bar staff or promoter. Also adding “my” education such as when I went to The University of Bristol.
I then started spamming out connection requests. I only targeted my “fellow peers” as to boost my connections. I also targeted a few non-IT people who would hopefully be less suspicious. Certainly not this guy:
Whilst I was waiting for the connections to grow, I thought I would check how my personal profile looks. I know that I have my settings locked down and have disabled or hidden pretty much everything when it comes to user data or sharing outside of my network (connections). I also have my profile set to private mode.
Long story short, I could see everything….
This was the turning point and when my focused changed. I have a hard time switching off at the best of time, so finding this suddenly peaked my interest.
How could I be so visible yet have all my settings set to private.
I then did some further digging and found that regardless of how your privacy settings look, anyone within the Linkedin network can view everything. It’s only non-linkedin users who you can hide from. That’s not the best as I just created an account with a fake disposable email, a publicly free photo and a bunch of fake info. It took less than 5 minutes.
Linkedin does stop you searching people directly (within LinkedIn) however there are obvious way around that:
- Go through Google and search for the person there. The link will bring you back to LinkedIn and because you are signed in, you can see the profile.
- Go to a few companies profiles on Linkedin and see who’s liking the activities or posts. You can then daisy chain through peoples connections.
- Search for a hash tag and do the same thing. Look at the likes and interest and start exploring.
- Look at groups or interest pages and scroll through the members.
That’s just profiles though. The threat is simply user profiling. People looking at your personal information that you don’t want having this information.
What about actually contacting me and trying to Phish people though? Luckily, not everyone can message anybody.
You have to be a connection right?
Well, yes but you could also have a premium account
This allows you to send messages to anybody and even setup a template. That would make mass phishing a doddle.
At this point, you may thinking that a malicious party isn’t going to give their credit card details away.
That may be true but there is one common flaw that malicious people can somewhat abuse. Paypal.
I’m not knocking PayPal at all. The service works for a lot of people.
The reason malicious people use it though is there are less hurdles to jump through to get access. For a credit card, you need to provide a lot of personal details and have to go through the banks security and checks.
For PayPal, you can fake all of the steps. Fake name, fake address, fake bank card and a burner or disposable phone or SMS service.
This will only get you to the login though.
So how do they add money if they can’t use their card?
Simple, they go to a supermarket, buy a gift card with cash and top-up the account online. Now they can pay for online services such as premium Linkedin account without any real traceability.
If they did all of this, they could then send emails to whoever they wanted as it’s part of the premium service. The badge also gives the attacker a way in because the account looks more official.
This then got me thinking. What could they do with all this power?
Phishing is obvious so what about spreading malware?
I have noticed that the URLs on Linkedin change everytime I share a post.
At first I thought that this was some kind of security control such as Microsoft safe links.
I then started to test if I could share a malicious link and potentially a link which downloads a malcious file straight away. I did this in a safe manner and used WiCAR and EICAR. These are used to test security controls safely.
Seems like Linkedin picked up on the first, but the second is fine.
Once you click on the one they did spot, you see this:
Thats because in the backend, they seem to use Google Safe Browsing to spot malicious content. That got me thinking if common techniques which bypass this service would work.
Lets muddle the link though a short link service.
The popular one failed but the not so known one didn’t.
I then went one step further. An able attacker wouldn’t be happy with a short link as it looks suspicious.
What they would most likely do is abuse the Linkedin short link service. If I create a custom short link with 26 characters, Linkedin will change the URL for me. It will then look more convincing. Here is my link:
and as expected, it works.
As I say, this is pretty common and can be used for Phishing, malware and pretty much anything with a URL.
Looking at it from an enterprise perspective. What if your users are browsing this site whilst on your network. This is often why certain companies restrict social media access on thier network. That an they don’t want us slacking off.
So what have we learnt:
- Anybody can falsify information to create an account.
- Phishing can and is being done through the site so be careful.
- It is possible to trick the security controls in order to share malicious URLs.
- Not everybody on the site is genuine. There is a large number of fake accounts out there.
- Don’t just accept any invitations. If you think they are suspicious don’t accept.
- Don’t just click any links, even in shared posts/articles.
Ohh and it’s always worth checking your privacy settings. At least hide your email. Click here
It’s important to rememebr although this is based on Linkedin, this occurs on multiple platforms. Linkedin can’t and won’t be able to prevent all of these attacks so it’s always best to check yourself. Finally, I’ll close the account: