Keeping Safe On Linkedin
Linkedin offers a mixture of job opportunities and social media to help you connect with people in the same industry as you. It allows us to somewhat sell ourselves and have the jobs come to us. It also allows us to store our education and job history as if you are anything like me, I always forgot the year and month when filling out job applications.
The issue with the platform is that it does require a balance between wanting a job and allowing privacy. You want to sell yourself and be noticed by employees however, you don’t want everyone to know your life story.
Because so many of us chose to put personal information on our profiles, it becomes a goldmine for malicious parties. It’s basically free data to them. Why do all the hard work, if you have already shared your name, email, education, place of work and past employment all in one place. The more we share, the easy it becomes to target us with Phishing or social engineering attacks.
At first, this was meant to be an “experiment” to first; see how open it is and two; hopefully educate people on the risks of just clicking accept. It somewhat changed quite earlier on but I will keep the story flowing.
I often feel like Linkedin has this fake security blanket around it and people deem it a safe place. Don’t get me wrong, it might be all nice and safe however you don’t often hear in the news about the?33 million fake accounts. How true the figure is questionable but I imagine it is high.
I was blinded myself to some of the security controls I thought were in place. Mainly around privacy.
The first thing I did was set up a profile.
Out of curiosity, I used a disposable email address to see if it would work. This is something an attacker would most likely do. I looked in Purple-Pages and used one of the listed services…?Shameless plug.
I was surprised to see it pass to be honest. I saw the confirmation email come through and got past the first hurdle.
Now I needed a picture to seem genuine. Luckily sites like?Unsplash?exist so I can freely and legally use someone else's face.
Because Linkedin is for Jobs, we have become used to those messages that fill your inbox saying “let me find you a job” or “here is a job”.
It’s a perfect way in and that’s why I became a recruiter.
Sales or Job finders are often outgoing in nature so I need a professional yet not too formal photo.
It’s also a benefit that there is no eye contact. Humans seem less threatening when they don’t give eye contact and you are more likely to see them as harmless. Basically “fake confidence” is something hacker use during social engineering attacks. I find the whole social engineering side of hacking so fascinating!
Here I am….
The first thing I did is hide my email because that is a massive giveaway. You just need to go?here?and hide it.
I then filled my profile with a bunch of fake information. Adding a few basic jobs no one would question such as bar staff or promoter. Also adding “my” education such as when I went to The University of Bristol.
I then started spamming out connection requests. I only targeted my “fellow peers” as to boost my connections. I also targeted a few non-IT people who would hopefully be less suspicious. Certainly not this guy:
Whilst I was waiting for the connections to grow, I thought I would check how my personal profile looks. I know that I have my settings locked down and have disabled or hidden pretty much everything when it comes to user data or sharing outside of my network (connections). I also have my profile set to private mode.
Long story short, I could see everything….
This was the turning point and when my focus changed. I have a hard time switching off at the best of times, so finding this suddenly peaked my interest.
How could I be so visible yet have all my settings set to private?
I then did some further digging and found that regardless of how your privacy settings look, anyone within the Linkedin network can view everything. It’s only non-linkedin users who you can hide from. That’s not the best as I just created an account with a fake disposable email, a publicly free photo and a bunch of fake info. It took less than 5 minutes.
Linkedin does stop you from searching people directly (within LinkedIn) however there is an obvious way around that:
That’s just profiles though. The threat is simply user profiling. People looking at your personal information that you don’t want this information.
What about actually contacting me and trying to Phish people though? Luckily, not everyone can message anybody.
You have to be a connection right?
Well, yes but you could also have a premium account
This allows you to send messages to anybody and even set up a template. That would make mass phishing a doddle.
领英推荐
At this point, you may think that a malicious party isn’t going to give their credit card details away.
That may be true but there is one common flaw that malicious people can somewhat abuse. Paypal.
I’m not knocking PayPal at all. The service works for a lot of people.
The reason malicious people use it though is there are fewer hurdles to jump through to get access. For a credit card, you need to provide a lot of personal details and have to go through the banks security and checks.
For PayPal, you can fake all of the steps. Fake name, fake address, fake bank card and a burner or disposable phone or SMS service.
This will only get you to the login though.
So how do they add money if they can’t use their card?
Simple, they go to a supermarket, buy a gift card with cash and top-up the account online. Now they can pay for online services such as premium Linkedin accounts without any real traceability.
If they did all of this, they could then send emails to whomever they wanted as it’s part of the premium service. The badge also gives the attacker a way in because the account looks more official.
This then got me thinking. What could they do with all this power?
Phishing is obvious so what about spreading malware?
I have noticed that the URLs on Linkedin change every time I share a post.
At first, I thought that this was some kind of security control such as Microsoft safe links.
I then started to test if I could share a malicious link and potentially a link which downloads a malicious file straight away. I did this in a safe manner and used WiCAR and EICAR. These are used to test security controls safely.
Seems like Linkedin picked up on the first, but the second is fine.
Once you click on the one they did spot, you see this:
That's because in the backend, they seem to use Google Safe Browsing to spot malicious content. That got me thinking if common techniques which bypass this service would work.
Let's muddle the link through a short link service.
The popular one failed but the not-so-known one didn’t.
I then went one step further. An able attacker wouldn’t be happy with a short link as it looks suspicious.
What they would most likely do is abuse the Linkedin short link service. If I create a custom short link with 26 characters, Linkedin will change the URL for me. It will then look more convincing. Here is my link:
and as expected, it works.
As I say, this is pretty common and can be used for Phishing, malware and pretty much anything with a URL.
Looking at it from an enterprise perspective. What if your users are browsing this site whilst on your network? This is often why certain companies restrict social media access on their network. That they don’t want us slacking off.
So what have we learnt:
Ohh and it’s always worth checking your privacy settings. At least hide your email. Click?here
It’s important to remember although this is based on Linkedin, this occurs on multiple platforms. Linkedin can’t and won’t be able to prevent all of these attacks so it’s always best to check yourself. Finally, I’ll close the account.
Read more here: https://xstag0.com
Beta-tester at Parrot Security* Polymath*
2 年Always on my mind ;-) TY Ashley Moran