23 November 2017
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

739Posts 2,045,745Views 62Comments

How Hackers use LinkedIn to Scam

13 May 2015  |  7107 views  |  1

Hackers love LinkedIn because it links them in—straight through the portal of the targeted company. Geez, how much easier could this be, what with all the publically-exposed e-mail addresses of key players (and also worker bees) in big companies that someone wants to hack.

 

An article on blog.sungardas.com was written by a white-hatter (his job is to try to hack his clients’ systems so that they know how to make them more impenetrable to the bad guys). The author says he’d make a beeline to LinkedIn if he became a black-hatter.

In addition to all of those revealed e-mail addresses, the hacker could also learn (without hacking, of course) what a business’s e-mail structure is. He can then compile a list of employees for his social engineering attacks. (Can you just see him watering at the mouth over this—like putting a sizzling steak in front of a dog.)

A phishing campaign could trick the targets into giving up crucial information—essentially handing the company key to the hacker. The crook, however, knows better than to pull this stunt on IT employees. But fertile territory includes employees in the marketing, accounting and customer service departments.

Maybe you’ve read that every professional these days absolutely should have a LinkedIn account. You can bet that every hacker agrees!

Companies need to come up with a way to prevent hackers from sneaking into their network via that bastion of essentiality known as LinkedIn.

The penetration-tester, in his article recommends that businesses do the following:

Social engineering training. Workers must be aggressively trained in how to sniff out a phishy-smelling e-mail. No corners should be cut with this training program, which should include ongoing staged attacks.

A statement clarifying communication about security information. To help prevent employees from giving out sensitive information to the wrong people, the company must figure out how communication will be conducted, then get it down on paper. For example, “E-mails from our company will never ask you to reveal your username and password.”

Definitive reporting process for suspicious activity. Employees need to have, on paper again, specific instructions in how to report suspicious activity, such as a questionable e-mail. These instructions should be simple and to the point.

 

a member-uploaded image TagsSecurity

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 15 May, 2015, 20:13

Sorry but as far as I've experienced it, LinkedIn does not display business email addresses by default. Even people who have opted to have their email displayed generally use their personal email address. Therefore, I'm not sure how one can find out a person's business email address from their LinkedIn profile.

Furthermore, well before LI came into existence, people have been hacking company email structures (e.g. firstname.lastname@companyname.com) from CONTACT US / MEDIA RELATIONS / INVESTOR RELATIONS pages of companies' own websites. Even a search on Google - or Lycos / Alta Vista before Google was founded in ~1998 - often does the trick, as I've illustrated for a certain Top 5 UK bank here. So, why single out LinkedIn?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Robert

What Was Scary About Blackhat 2017?

02 August 2017  |  6159 views  |  0 comments | recomends Recommends 0 TagsSecurity

Black Hat 2017 was an Amazing Event

29 July 2017  |  6769 views  |  0 comments | recomends Recommends 0 TagsSecurity

Blackhat Hackers Love Office Printers

28 July 2017  |  5374 views  |  0 comments | recomends Recommends 0 TagsSecurity

Getting Owned or Pwned SUCKS!

13 June 2017  |  5754 views  |  0 comments | recomends Recommends 0 TagsSecurity

Parents Beware of Finstagram

27 April 2017  |  5231 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
732 posts62 comments

Who's commenting on Robert's posts

Ketharaman Swaminathan