Fake LinkedIn profiles engaged in global espionage targeting

Example of a fake LinkedIn profile

Via Symantec

The BBC reports that hackers are using fake LinkedIn profiles to befriend professionals and use their information in future attacks.

Source: Fake LinkedIn profiles used by hackers – BBC News

The BBC article pulls from a Symantec Threat Report “Fake LinkedIn accounts want to add you to their professional network” this report comes on the heels of the piece crafted by Prevendra’s CEO – Christopher Burgess on this very topic in August 2015. At that time he wrote, for years the counterintelligence efforts of the Federal Bureau of Investigation (FBI), Defense Security Services (DSS) and other U.S. Government entities have been sharing “stranger danger” type briefings for travel, conferences and elicitation over telephone calls. Every individual with a government security clearance has received their annual counterintelligence training, with emphasis on reporting contact with foreign nationals.  Most of these briefings and instructions focus on the in person solicitation or email query.

Now with the ubiquitous nature of social networks, it should come as no surprise that foreign intelligence services hostile to the interests of the U.S. have put another collection of arrows into their operational quiver so as to achieve their goals, collecting U.S. secrets (and those of the allies of the U.S.).

Governments warn us of fake LinkedIn Profiles

In fact the United Kingdom’s MI-5 (internal security service) sent a memo to government departments warning according to the UK’s Daily Mail: Foreign spies on LinkedIn trying to recruit civil servants by ‘Befriending’ them before stealing British secrets.”  The Daily Mail notes that the memo (not provided) warns government workers that Russia and China are both utilizing the LinkedIn social network to target government employees, are creating fake profiles within the site, and are trying to “find-connect-cultivate” government employees.  Those of us who do not suffer event amnesia will remember the well orchestrated “Robin Sage” sting of 2010, where a total persona was created by Thomas Ryan of Provide Security and over the course of several months engaged, befriended and elicited information from cleared government employees. The results of the sting were shared at the 2010 Black Hat conference in a talk, “Getting in bed with Robin Sage.”

The DSS and FBI have also issued their own counterintelligence brochures dealing with the broader cyber threat.  The rather robust FBI brochure on elicitation is especially apropos when it comes to social networks, as the techniques used in face-to-face personal engagement are applicable to social network engagement. Elicitation is an art form, and when exercised by the intelligence professional, it is difficult not to engage. The FBI suggests:

Deflecting Elicitation Attempts

Know what information should not be shared, and be suspicious of people who seek such information. Do not tell people any information they are not authorized to know, to include personal information about you, your family, or your colleagues.

You can politely discourage conversation topics and deflect possible elicitations by:

  • Referring them to public sources (websites, press releases)
  • Ignoring any question or statement you think is improper and changing the topic
  • Deflecting a question with one of your own
  • Responding with “Why do you ask?”
  • Giving a nondescript answer
  • Stating that you do not know
  • Stating that you would have to clear such discussions with your security office
  • Stating that you cannot discuss the matter

The DSS notes in their cyber threats brochure the myriad of reasons and methods used to target cleared personnel.  The DSS suggests:

Why Do They Target

  • Company unclassified networks (internal and extranets), partner and community portals, and commonly accessed website
  • Proprietary information (business strategy, financial, human resource, email, and product data)
  • Export controlled technology • Administrative and user credentials (usernames, passwords, tokens, etc.)
  • Foreign intelligence entities seek the aggregate of unclassified or proprietary documents that could paint a classified picture

Why should I care?

OPM breach + Health Care breach + IRS breach + Ashley Madison breach = Targeting bonanza 

While we have in the past admonished to be judicious on what you post as it can be culled, with the OPM data breach, many who have security clearances have had their information compromised. Knowing that it is probable the contents of their SF-86 are in the hands of hostile intelligence services can be disquieting. Couple this with the most recent compromise of the various medical provider data sets and the salacious Ashley Madison breach and it becomes clear there is no shortage of our information available to the targeteers of the foreign intelligence services. You do NOT get to decide if you will be targeted, you do however, have control over how you react to an approach.

Your responsibilities include understanding how individuals may use the various pieces of data public and private (compromised data sets) to approach you. Fictional LinkedIn profiles can be used to appeal to your professional interests. Facebook and Google+ groups and communities can be stepping stones to personal virtual relationships. As President Reagan is often quoted, “Trust, but verify.”

How can I spot a fake LinkedIn profile?

Back to the Symantec report, they advise there are a couple of easy ways to identify a “fake profile” (we don’t know why LinkedIn doesn’t self-police, but you can highlight and report a LinkedIn profile as bogus and they will take action).

[container]

Symantec says most of these fake accounts follow a specific pattern:

  1. They bill themselves as recruiters for fake firms or are supposedly self employed
  2. They primarily use photos of women pulled from stock image sites or of real professionals
  3. They copy text from profiles of real professionals and paste it into their own
  4. They keyword-stuff their profile for visibility in search results

There are a few ways users can identify these types of accounts:

  1. Do a reverse-image search (e.g., tineye.com offers a browser plugin)
  2. Copy and paste profile information into a search engine to locate real profiles

[/container]

[line]

Portions of the above article were originally written by Christopher Burgess and published within DICE’s ClearanceJobs: 

Beware Where You Share: British Intelligence Cautions Employees Against LinkedIn