Linked-In Contact Harvesting Newest Threat
Written by Casper Manes on January 9, 2013
There’s a new spamming/spoofing trend going on that has an alarmingly high success rate when fooling both filters and end users. In the latest round of things we shouldn’t have to deal with but do, malicious users are starting to harvest contact information from LinkedIn and making associations between users. In the preliminary stages of this spoof, a malicious user will parse through LinkedIn looking at users who have two things the attacker needs; a publicly viewable profile with an email address, and a list of that user’s connections.
With the target email address in hand, the attacker can send email messages that appear to come from the name of a contact. Since people are typically more likely to trust emails from someone they know, they are much more likely to open a spam message, or worse, click a link in a message they think is from someone they know. In either case, the attacker’s mission is accomplished. They’ve either delivered the spam or convinced the user to click on a link. These links typically lead to webpages hosting malicious content which then tries to exploit browser vulnerabilities or media application flaws.
The attack first came to my notice when I received an email from my friend SK, or at least that is how it looked. The problem was that the name on the “from” was his full given name, Steven, and I know this friend only uses that on formal documents, resumes, and their LinkedIn profile. They never use it in casual conversation or in any other communication, like email, Twitter, Facebook, etc. Since this came from “Steven” and not SK, it stood out to me and so I DM’d him on Twitter before I clicked on the link. Sure enough, not only had it not come from SK, I was the eighth or ninth LinkedIn connection to ask him about that. Unfortunately, more than half only checked with him after they had clicked the link.
SK and I both started to ask around our social and technical circles, and it looks like this is definitely a trend that is on the rise. We found several anecdotal cases of this sort of thing happening, and in each case, the common link between the target and the spoofed sender was LinkedIn.
As admins, we should raise the awareness of this. Users need to be reminded that any other email that appears to come from a friend, family member, or colleague and contains a link or attachment that was not expected should be verified.
You should also suggest to your users that they update the settings on all their social media profiles to ensure that their email address is not visible except to trusted connections. In LinkedIn, you can set your profile up so that your connection information, including your email address, is only visible to your connections. People who are not connected to you can still email you using LinkedIn’s contact form, so there is no reason to worry about missing out a on fabulous opportunity. Preventing anonymous or unknown users from seeing your email address is simply a prudent way to cut down on spam and spoofed messages.
While you are thinking about it, log on to LinkedIn, Facebook, and other social websites that you yourself use, and make sure your profiles are set up to protect your email address from prying eyes. This is the sort of thing where we all want to practice what we preach!
Loading ...
This is a very subtle tactic! We managed to learn not to open emails and especially click links when the sender is unknown but this scheme exploits trust. When the sender is somebody we know, and especially if he or she is known for frequently sending links to interesting stuff, as I am to my friends, it is really easy to become a victim. Good that you write about this scam – I hope it will save dozens of users from becoming victims.
This is one of the reasons why I no longer hang out in LinkedIn. A few months ago, I keep receiving invites for connection from people I don’t really know. But they do have very decent profiles and jobs that are related to mine, so I thought maybe they want some professional connections in the future. Sadly, once I added them, they wouldn’t stop sending me mails, asking me to click on suspicious links. It’s so sad what has become of LinkedIn. All these security fails only make them sound less professional each day.
I have been staying out of LinkedIn for some time now, but it’s really not because of this. I just don’t have the time. Now maybe I need to extend my hiatus or perhaps pull out my profile. LinkedIn used to be the elite among all social networking websites. It definitely looks very professional, and the people there are real and have great job titles. I don’t know what happened. Is it because it’s gaining more popularity as well? Or is it because spammers and other scammers are more attracted to people who have money? I guess it’s both.
I don’t trust LinkedIn anymore! It’s been a long time since my last login, and one of the reasons why is I don’t see the need for it anymore, especially in light of circumstances such as this. Besides, for some reason, I can no longer feel the essence of professionalism in that website. Yes, many people do add me into their contact list, and yes, a lot of them also use it to spam me. It is a good thing that I don’t just click any link they sent me even if these mails come from people I know of.