LinkedIn – the hacker’s research tool
By By Andrew Tang, Service Director, Security at MTI Technology - 28 September 2015
As of July 2015, LinkedIn has approximately 380 million users worldwide, a number that is continuing to grow. The social media platform is very useful for networking in the business world. It invites users to share their online CV with other industry professionals and establish contacts, publish industry commentary, and research potential employers or candidates.
The security risks of sharing personal details on other social media platforms like Facebook have been well documented, but for enterprises, LinkedIn can be equally dangerous. LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial, but it forms part of the ‘cyber kill chain’ and can lead to malicious attacks.
For hackers, LinkedIn can inform the ‘plan of attack’. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; and learn the email structure; as well as the names of affiliated companies.
This leaves organisations vulnerable to a range of cyber attacks. One example is spear phishing: a targeted person receives an email inviting them to access a link, which initiates the installation of malicious software.
Socially engineered access
Emails from known sources (a colleague, for example) and information about hobbies, can instill confidence in the targeted individuals, making them more likely to click on the link.
The name drop of the company CEO could create a false air of familiarity, which might spur someone to act hastily and neglect to follow the correct channels. It’s not hard to imagine that an IT helpdesk might grant a ‘known employee’ remote access in response to a pleading call or email to finish time-sensitive work on a Friday afternoon.
This might provide the hacker with the name, job title, and email address of a company employee, all of which are readily accessible on LinkedIn. In return, he stands to make financial gains, steal data, or simply obtain secure company information.
Most worryingly perhaps is this issue isn’t one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search. LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee, or gained remote access, the key goal is theft, whether for more information, financial remuneration, or data.
Education is the answer
As our virtual presence continues to grow, there needs to be more awareness made inside organisations about the potential risks of basic company details falling into the wrong hands. To safeguard company information and data, enterprises should attend more closely to what they wish to make visible to whom.
As more of our private lives are made public and readily available on the Internet, education becomes the vital component. Organisations should be looking to provide this level of training to all employees, or risk the consequences.