Section 1. Real LinkedIn phishing attacks

1.1 LinkedIn attacks asking users to upload their CVs

In April 2017, scammers started sending phishing messages to LinkedIn users asking them to upload their CVs. The messages contained the following text: “A company is urgently seeking for immediate employment from your region. They are interested on your qualifications base on our recommendation. Your email address has been updated in our recruitment database & please we are waiting for your CV and Cover letter.” The text is followed by an “Upload Your CV Here” button and the text: “If the button doesn’t work, you can click here. This is the best place you need to send your CV now. 2017 LinkedIn Incorporation“.

If one starts analyzing the message, he or she will immediately identify at least three warning indicators, namely, (i) the message was sent from a suspicious email address (info@serv1.cyber-net.bid), (ii) the message contains multiple grammatical mistakes (e.g., the use of “interested on” instead of “interested in”), and (iii) pretending that the message was sent by LinkedIn, whereas the source of the email and the many mistakes clearly indicate that it could not be sent by a legitimate company.

We can only speculate about the reasons for which the fraudsters collected CVs of LinkedIn users. Such reasons may include, for example, conducting identity thefts and other crimes. It is worth mentioning that CVs are abundant with personal information, such as addresses, email addresses, and phone numbers, which can facilitate such crimes.

1.2 The Locky attack

In November 2016, researchers working at Check Point discovered that a variant of the ransomware Locky was taking advantage of security vulnerabilities of social networks, including LinkedIn. By using the security vulnerabilities, hackers embedded malicious code in images published on LinkedIn which forced the browser of the victim to install a version of the well-known ransomware Locky. The ransomware encrypts all files that match certain file extensions. After the encryption is completed, a pop-up message requests the user to visit an illegal website which demands a payment of between 0.5 and 1 Bitcoin.

1.3 The “LinkedIn update” attack

Phishers operating the “LinkedIn update” scam send emails purporting to be sent by LinkedIn to LinkedIn users. If the users click on a link in the phishing messages, they will be redirected to a fake LinkedIn login webpage. The credentials collected by the fraudsters through that web page may be used for hijacking the account with the aim to send malware, spam, and other illicit content. A copy of the message contained in the phishing emails is provided below.


The following factors clearly indicate that the message is phishing: (i) there is no name of the recipient; (ii) the text “Copyright © 2017 Information” is not a correct copyright notice; and (iii) the message contains numerous language mistakes, e.g., “click the link” should be “click on the link”.

Section 2. Typology of LinkedIn phishing attacks

Based on the source of the phishing messages, we can distinguish two types of LinkedIn attacks, namely, attacks using fake accounts (Section 2.1) and attacks using hijacked accounts (Section 2.2). They are examined in more detail below.

2.1 Attacks using fake accounts

These types of attacks are usually conducted by creating fake profiles of recruiters. Since LinkedIn users (especially those searching for a new employment) expect to be contacted by recruiters, they quickly fall prey to such attacks. In 2015, researchers from the Dell Secure Works Counter Threat Unit identified a network of fake LinkedIn profiles. The profiles in the network consisted of two types of users, namely, fully developed profiles and supporting profiles. The creators of the profiles invested significant efforts in maintaining them. The profiles included current and previous job descriptions, educational background, and even LinkedIn group members. One of the profiles had more than 500 connections. The researchers concluded that the profiles were fake based on various indicators, e.g., some photographs were linked to multiple identities across many websites, at least one autobiography was the same as an autobiography in a legitimate LinkedIn profile, and job descriptions were copied from job descriptions published by legitimate job postings.

2.2 Attacks using hijacked accounts

By using hijacked accounts, hackers lure their victims into believing that their trusted connections send them legitimate messages. To illustrate, Help Net Security reported a phishing campaign in which hackers used hijacked LinkedIn accounts to send messages containing a link to a webpage that requires users to include their phone numbers and AOL, Yahoo, and Gmail login credentials to access an attachment. Once the victims enter their login credentials, their accounts can be hacked and used for further spreading the attack.

Jerome Segura, a security researcher at MalwareBytes, stated regarding one of the hacked accounts: “The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite’s stats, we know 256 people clicked on the phishing link.” Attackers may hijack accounts by using credentials acquired during actual attacks on LinkedIn. For instance, in 2012, hackers illegally obtained more than 6.5 million passwords belonging to LinkedIn users and published them online. LinkedIn quickly addressed the security vulnerability used for the unlawful collection of data by implementing a mechanism allowing LinkedIn to confirm the identity of users by using two different components.

Section 3. Criteria which can be used for identifying LinkedIn phishing messages

At least the following six criteria can be used for identifying LinkedIn phishing messages: (i) the profile of the sender of the message contains numerous grammar mistakes; (ii) the sender purportedly works at a high-level position and/or has Ivy league education; (iii) if one searches for the photo of the sender in Google Images, he/she finds out that the photo belongs to another individual; (iv) the profile contains many blank sections; (v) the sender works for a company having a generic company name; (vi) the entire name of the sender is written in lowercase; (vii) the sender does not have any LinkedIn recommendations; and (viii) the career of the sender seems somewhat unusual (e.g., after working for one year as a project manager at a corporation, one becomes a CEO of that corporation).

Ethical Hacking Training – Resources (InfoSec)

Section 4. Recommendations on how to respond to LinkedIn phishing messages

Individuals and companies who spot a fake profile in LinkedIn are advised to remove the fake profile from their list of connections (Section 4.1) and report the fake profile to LinkedIn (Section 4.2). Below, these two steps are examined in more detail.

4.1 Removing the fake profile from their list of connections

Fraudsters often rely on the reputation of their connections to lure their victims to accept contact requests on LinkedIn. For example, if a fake profile establishes LinkedIn connections with the profiles of several senior executives at large companies, it may look seemingly harmless. By removing the fake profile from their list of connections, LinkedIn users will prevent other users from being misled into believing that the owner of the account is a well-connected professional.

4.2 Reporting the fake profile to LinkedIn

LinkedIn users can report fake profiles either by using the “Report” button on the fake profile or the contact form available at https://www.linkedin.com/help/linkedin/ask/TS-NFPI?lang=en . After receiving the report, LinkedIn will examine the case and, if necessary, disable the fake account. Owners of allegedly fake accounts can submit counter-notifications by using the online form available at https://www.linkedin.com/help/linkedin/ask/TS-CNFPI.

Section 5. Conclusion

This article described the mechanisms and the dangers of LinkedIn phishing attacks. Hackers can turn the reputation of the most prominent professional social network into a dangerous cyber weapon. In this regard, Allison Wikoff, a senior researcher at SecureWorks, stated: “It’s got trust built into it, and hackers leverage that trust to their own nefarious purposes.”

Similar to other phishing attacks, LinkedIn phishing attacks cannot be prevented by implementing technology measures, such as firewalls and anti-virus software. This is because such attacks rely on human mistakes, not on technological vulnerabilities. Therefore, organizations willing to prevent LinkedIn phishing attacks need to focus on raising security awareness among their employees by, for example, training them on how to (i) identify fake profiles, (ii) remove fake LinkedIn profiles, and (iii) report fake profiles.

References

Arruda, W., ‘How to Tell If A LinkedIn Request Is A Scam And What To Do About It’, 7 May 2015, Forbes. Available at https://www.forbes.com/sites/williamarruda/2015/05/07/how-to-tell-if-a-linkedin-request-is-a-scam-and-what-to-do-about-it/ .

Christensen, B., ‘LinkedIn Update’ Phishing Scam Email’, 30 July 2017, Hoax-Slayer. Available at http://www.hoax-slayer.net/linkedin-update-phishing-scam-email/ .

Cross, M., ‘Social Media Security: Leveraging Social Networking While Mitigating Risk’, Newnes, 2013.

Dimitrova, M., ‘Job Openings for Active LinkedIn Users Phishing Scam Detected’, 18 April 2017, Sensors Tech Forum. Available at https://sensorstechforum.com/job-openings-active-linkedin-users-phishing-scam-detected/ .

Fingas, J., ‘Malware uses Facebook and LinkedIn images to hijack your PC’, 27 November 2017, Engadget. Available at https://www.engadget.com/2016/11/27/ransomware-exploits-facebook-and-linkedin-images .

‘Hacker Group Creates Network of Fake LinkedIn Profiles’, 7 October 2015, Secure Works. Available at https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles .

Hadnagy, C., ‘Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails’, John Wiley & Sons, 2015.

Khan, G., ‘Social Media for Government: A Practical Guide to Understanding, Implementing, and Managing Social Media Tools in the Public Sphere’, Springer, 2017.

Lachkar, S. and Kabla, H., ‘Mastering Social Selling Like a Boss: How to use social media to develop sales performance‬’. Editions Kawa: 2017.‬‬

Narang, S., ‘Fake LinkedIn accounts want to add you to their professional network’, 2 December 2015, Symantec. Available at https://www.symantec.com/connect/blogs/fake-linkedin-accounts-want-add-you-their-professional-network .

‘Reporting Inaccurate Information on Another Member’s Profile’, LinkedIn. Available at https://www.linkedin.com/help/linkedin/answer/30200/reporting-inaccurate-information-on-another-member-s-profile?lang=en .

Snider, M., ‘Vevo suffered a huge hack from a LinkedIn phishing scam’, 15 September 2017, USA Today. Available at https://www.usatoday.com/story/tech/news/2017/09/15/vevo-plays-despite-hack-accessing-3-12-terabytes-internal-data/669749001/ .

Weise, E., ‘Just say no to LinkedIn requests from strangers; some may be phishing scams’, 6 October 2017, USA Today. Available at https://www.usatoday.com/story/tech/2017/10/06/just-say-no-linkedin-requests-strangers-some-may-phishing-scams/723528001/ .

Weisman, S., ‘Identity Theft Alert: 10 Rules You Must Follow to Protect Yourself from America’s #1 Crime’. Pearson Education: 2015.

Zaikin, R. and Barda, D., ‘ImageGate: Check Point uncovers a new method for distributing malware through images’, 24 November 2016, CheckPoint. Available at https://blog.checkpoint.com/2016/11/24/imagegate-check-point-uncovers-new-method-distributing-malware-images/ .

Co-Author

Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.