There’s a new spamming/spoofing trend going on that has an alarmingly high success rate when fooling both filters and end users. In the latest round of things we shouldn’t have to deal with but do, malicious users are starting to harvest contact information from LinkedIn and making associations between users. In the preliminary stages of this spoof, a malicious user will parse through LinkedIn looking at users who have two things the attacker needs; a publicly viewable profile with an email address, and a list of that user’s connections.
With the target email address in hand, the attacker can send email messages that appear to come from the name of a contact. Since people are typically more likely to trust emails from someone they know, they are much more likely to open a spam message, or worse, click a link in a message they think is from someone they know. In either case, the attacker’s mission is accomplished. They’ve either delivered the spam or convinced the user to click on a link. These links typically lead to webpages hosting malicious content which then tries to exploit browser vulnerabilities or media application flaws.
The attack first came to my notice when I received an email from my friend SK, or at least that is how it looked. The problem was that the name on the “from” was his full given name, Steven, and I know this friend only uses that on formal documents, resumes, and their LinkedIn profile. They never use it in casual conversation or in any other communication, like email, Twitter, Facebook, etc. Since this came from “Steven” and not SK, it stood out to me and so I DM’d him on Twitter before I clicked on the link. Sure enough, not only had it not come from SK, I was the eighth or ninth LinkedIn connection to ask him about that. Unfortunately, more than half only checked with him after they had clicked the link.
SK and I both started to ask around our social and technical circles, and it looks like this is definitely a trend that is on the rise. We found several anecdotal cases of this sort of thing happening, and in each case, the common link between the target and the spoofed sender was LinkedIn.
As admins, we should raise the awareness of this. Users need to be reminded that any other email that appears to come from a friend, family member, or colleague and contains a link or attachment that was not expected should be verified.
You should also suggest to your users that they update the settings on all their social media profiles to ensure that their email address is not visible except to trusted connections. In LinkedIn, you can set your profile up so that your connection information, including your email address, is only visible to your connections. People who are not connected to you can still email you using LinkedIn’s contact form, so there is no reason to worry about missing out a on fabulous opportunity. Preventing anonymous or unknown users from seeing your email address is simply a prudent way to cut down on spam and spoofed messages.
While you are thinking about it, log on to LinkedIn, Facebook, and other social websites that you yourself use, and make sure your profiles are set up to protect your email address from prying eyes. This is the sort of thing where we all want to practice what we preach!