Confessions of a LinkedIn Imposter: We Are Probably Connected

Wednesday, May 07, 2014

Tripwire Inc


By: Ken Westin

I have a confession to make. I created a fake profile on LinkedIn and we are probably connected. Curious after receiving several obvious and some not so obvious fake profiles, I did a bit of experimenting creating my own.

Creating the Back Story
Creating a believable backstory, complete with education, degree, work history, groups, certifications is the first step. I found that being a female had a higher response rate than male. I started by listing several real companies as previous employers, then followed their employees, many followed me back,some even asking me how I was doing since I left their company.

When creating my profiles I realized that one of the first things some will do to test if a profile is fake is to check the image through a reverse Google image search to see if it matches stock photos, or is tied to another name. However an easy work around is to flip the image, try it, it won’t match. If my targets can’t find the image I used it helped to develop false confidence that the account is real.

Then I started following others they were connected to. I started getting invitations to social events and even a few job offers, over time the profile had its own life, with people inviting me to connect with them.

Trust Me I’m A Recruiter
Listing my position as a technical recruiter made it easy to get people to give information about themselves and their work. The prospect of a new position, or a future position with higher pay provides a good channel to establish a level of trust, as they want something from you, making it easier to request something from them.

I did not request information or directly communicate with anyone, I simply connected. However the amount of information people would give a fake account, even without direct request for it was surprising. I could easily identify security professionals in Fortune 500 companies who were not happy with their jobs. I also received many invitations from many to meet face-to-face to discuss career opportunities and network.

Who Do You Trust?
LinkedIn is a great tool for business, however it can also be abused, something to consider when blindly accepting connections is what information does this open up about you? Could being connected to this person somehow serve as an endorsement to their validity to your other connections?

If used en masse to target a specific company, LinkedIn can easily be a data mining tool to for attackers to recruit insiders who could give up information unknowingly to a competitor, or even fully enlist them to their nefarious cause.

Think you can guess who I am?

This was cross-posted from Tripwire's The State of Security blog.

General Impersonation Phishing Phreaking
Post Rating I Like this!
Martin Fisher Does it really matter? I thought we had this conversation years back when it was called "Robin Sage".

Simply connecting with someone on LinkedIn does not a 'security issue' make and it's simplistic and naive to insist that's so. The analog to this would be I meet you at a party, give you a false name, and have a 5 minute chat. Have you somehow been compromised? Of course not!

I expect more from you, Tripwire.
Anthony M. Freed Hey Martin - I think the point was more that LinkedIn does nothing to police the faux profiles, and some - as you noted with the reference to Robin Sage - can be employed for nefarious purposes like social engineering and competitive intel ops. Westin found people are willing to reveal too much info to un-vetted connections, which is a security issue. LinkedIn should just kill the accounts to reduce the risk of abuse.
Martin Fisher But why *should* they police the profiles? Using the analog above do we expect the host of a large open party to vett all of the attendees and their guests? If someone trusts too much there is a security issue but it isn't LinkedIn - it's the person oversharing. Those who get taken in by this are victims of the attacker - not LinkedIn (or any other social media).

I get where you are coming from but I just don't expect or want social media providers to baby-sit me.
Anthony M. Freed I hear ya man - but it seems there is a level of responsibility LI should have to their constituents to reduce the risk of fraud and deception. Facebook? Whatever, user be ware, but LI is a business tool and users could be putting their organizations in jeopardy if they are foolish, which we know the majority are.
Morgan Frank This article is well thought out and full of good information.
timm luca I’m interested in your blog and wish to write one. Send me an email if you are willing to, thank you.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.