A LinkedIn profile with all the hallmarks of a scam underway has been indentified as having been running for the past week under the name ‘Jessica Reinsch'. It leads to a dating site which, although not currently carrying any malicious code, is believed to have been set up to make targeted connections using social engineering techniques to gain intelligence on other LinkedIn users prior to a bigger attack.
You might say that gathering intelligence is what all legitimate LinkedIn users do, and while that's true, scammers often mimic legitimate use patterns. However this dating site, “…is definitely in the neighbourhood of the darker side of the web. It sits in the same IP range as sites known to host exploit kits such as blackhat SEO. We also see that IPs used to host the dating site are hosted within the same Autonomous System Number (ASN) as multiple Exploit Kit Command and Control URLs, including RedKit and Neutrino exploit kits. This site could be compromised at any time with an exploit, or malware downloading to any user of the site,” Carl Leonard, Senior Security Research Manager EMEA at Websense Security Labs, told SC Magazine.
Websense, which found the scam, reports that based on telemetry across what it has identified over many years as the seven stage life-cycle of an attack, the current actions appear to be the reconnaissance phase, uncovering information that will facilitate the attacker to conduct more sophisticated attacks further down the line. “Business profiles are big currency to cybercriminals, (so) it's unsurprising that LinkedIn profiles are now being used to lure users to click on links that could lead to the darker places of the web. Without in-line real-time security in place to determine if this site is infected or not at the point-of-click, cybercriminals could be falling in love with the potential riches their targets provide,” comments Leonard.
Websense describes the attack method on its new blog.
The LinkedIn profile is actively engaging with legitimate LinkedIn members, and currently has just over 400 connections. Leonard told SC Magazine that it is not just targeting wealthy older men, it is specifically pin-pointing directors, senior managers and project development staff – and their connections. The offending profile is a subscriber to LinkedIn's Premium Account service giving it access to greater levels of information, not just location, industry, and profile language, but also function, seniority level, and company size. When Websense's blog was compiled last week (week ending 1 Nov), the summary of the profile read as a link to a dating website geographically located in Switzerland and hosted on IP 82<dot>220<dot>34<dot>47.
Any LinkedIn user can see the most recent five users who have viewed their profile, and this how the attacker entices LinkedIn users to view their profile. LinkedIn currently has more 259 million members so the potential number of targets is vast. LinkedIn's own statistics report that 5.7 billion searches were conducted on the social network in 2012.
Information relating to current employer, job titles, connections within the social network, and technology skills could be used by attackers to better enhance their chance of success in more targeted attacks outside of the LinkedIn network.
There are commercial solutions to identify such sites, and guard against downloading of malware, but with companies both allowing staff to engage in social networking from work machines, and using social networking to promote their own organisations, banning social networking is not expected, and user awareness is key. Users are advised not to blindly accept invites to connect from people they do not know and to be wary of profiles they do not know as they may not be what they seem.
Websense has reported its concerns to LinkedIn which says it has started an investigation into the scam profile.