Photo (cc) by nan palmero
Who turns down a LinkedIn invitation? You never know, that one connection could be the first step toward a new job, or a new client, or a lucrative contract.
Or, it could be the first step toward getting hacked.
In the latest cautionary tale about overly promiscuous social media sharing, investigators at Dell recently found that hackers set up a network of fake LinkedIn profiles, all designed as an elaborate ruse to steal electronic intelligence from telecommunications companies.
The 25 fake profiles cross-referenced each other, giving them credibility, and managed to trick hundreds of telecom workers and others into accepting connections. Dell’s SecureWorks research team believes an Iran-based hacking organization named Threat Group 2889 was behind the scheme. Earlier, this group was accused of duping Internet users into installing malicious software by disguising a program as a resume submission tool.
“We assess this group is tasked with obtaining confidential information for cyber espionage purposes,” Dell said. “This assessment is based on the inferred targeting of Arab middle-eastern companies, governments and defense organizations.”
LinkedIn can be a powerful tool for finding a new job or building a network of professional connections. It is also a powerful tool for hackers or scammers to get a foothold into your digital life and your personal information. LinkedIn users tend to be more open to accepting connections from strangers than users of other social networks, like Facebook, because LinkedIn is perceived as less personal.
But connecting on LinkedIn can create its own perils. It’s easy to craft an alleged dream job for a would-be hacking target, for example, and trick him or her into opening an attachment.
Job seekers tend to be vulnerable, for obvious reasons. A recent survey showed that online job scams continue to succeed at high rates. About 17 percent of job seekers have reported being a victim of a job scam at least once, if not multiple times, according to the survey by FlexJobs. Victims were tricked by would-be ID thieves into surrendering personal information for a job that didn’t exist, doing work for which they were never paid, or being directed to conduct illegal activity such as shipping stolen goods overseas.
Meanwhile, oversharing on LinkedIn has produced some unexpected frustrations for users. Last year, four members sued the site over its “Reference Search” feature, which some human resources departments used when considering job applicants. Available for an extra fee, Reference Search used LinkedIn data to generate a list of job candidates’ associates and make it easy to reach out to their former colleagues. The lawsuit claimed the list constituted a credit report, and because applicants were not notified, “Reference Search” was a violation of the Fair Credit Reporting Act. The suit was dismissed, but LinkedIn discontinued Reference Search this summer anyway.
The incident highlighted the complex issue of who owns data shared with social networks, and an even more confusing issue: Who owns data that is inferred from information that’s volunteered by users, such as who may or may not be a former work colleague.
LinkedIn also settled a lawsuit recently targeting its “add connections” feature, which invites users to let LinkedIn reach into their contacts list and automatically email invitations to connect. Users claimed they didn’t consent to follow-up emails, and the service will pay up to $13 million to settle spam allegations.
But the biggest risk of using LinkedIn revolves around its use as a hacker research tool. LinkedIn might be the best social engineering database ever invented. It is now trivial to build a database of workers at a company and craft tempting spear-phishing emails, for example.
The critical advice is this: It’s tempting to accept every LinkedIn connection that arrives. You shouldn’t. Screen your connections the way you screen Facebook friend requests. Take a moment to make sure you actually know the person, or at least have someone in common. Then take another moment to make sure the person is legit. Then take one more moment to recall the story of Threat Group 2889 and take a few extra clicks to make sure he or she is really legit.
What’s your experience with LinkedIn and other social media “friends”? Share with us in the comments section below or on our Facebook page.