Business social network LinkedIn has filed a `John Doe' lawsuit against an unknown group of advanced hackers who are setting up clone accounts designed to harvest credentials from legitimate users of the service.
The clone accounts mirror legitimate users and attempt to 'connect' to the contacts of those users, in order to extract large volumes of behavioural information and business-relevant data.
As with fake Twitter accounts, which are designed to be sold to users of the microblogging service, the clone LinkedIn accounts and their profiles appear to be set-up using automated software.
“The Doe Defendents used Amazon EC2 to create virtual machines to run automated bots to scrape data from LinkedIn's website,” reads the complaint. “As a result of Doe Defendents' use of Amazon EC2, LinkedIn expects to be able to identify the Doe Defendants by serving third-party discovery on AWS.”
According to LinkedIn, which has more than 250 million users worldwide, the clone-and-probe accounts started being created by the thousand last spring and were then observed harvesting large volumes of data down from the service's servers.
SCMagazineUK.com notes that the Northern Californian court filing of Monday is the first real admission by LinkedIn that it uses monitoring technology to look for signs of unusual online.
Monitoring technology avoided
What is intriguing about the clone-and-probe account hackers is that, as well as using automated software to create and harvest information from the LinkedIn servers, they also appear to have been aware of the monitoring technology and reportedly only harvested information to levels just below the thresholds that would have triggered an investigation.
According to the court filing "since May 2013, unknown persons and/or entities employing various automated software programs - often referred to as bots - have registered thousands of fake LinkedIn member accounts and extracted and copied data from many member profile pages."
"This practice - known as data scraping - is explicitly barred in LinkedIn's user agreement," adds the filing.
The filing mirrors similar actions by Facebook in recent years to stop third-party companies from harvesting data from its systems, although a number of open-source applications have been developed to make the actual process relatively easy.
The most intriguing aspect of the lawsuit is that - as with Facebook's previous actions in this domain - the case does not seek to directly unmask the hackers. The lawsuit does, however, allow investigators to research third-party computer systems that have themselves been hacked and co-opted into the scheme to automatically create clone-and-probe LinkedIn accounts, as well as warn off potential future attacks on its servers using a similar automated approach.
Although declining press comment on the case, LinkedIn says that the clone-and-probe fake account scheme violates the US Computer Fraud and Abuse Act, the California Comprehensive Computer Access and Fraud Act and the Digital Millennium Copyright Act.
Digital forensics specialist Professor Peter Sommer, who is also a Visiting Professor at Leicester's de Montfort University, said that could prove an interesting but also challenging case.
"In the first instance LinkedIn will have to demonstrate a solid link between the fake profiles and the real people behind them - not that trivial in these days of dynamic IP addresses and the ease with which innocent folk's poorly secured PCs can be taken over so that an exploit appears to come from them rather than the scammer," he told SCMagazineUK.com.
"Secondly, LinkedIn will have to show what the scammers actually did - and the best evidence is likely to be on the scammers' own equipment. LinkedIn will have to arrange to seize this, another non-trivial exercise," he added.
Professor Sommer went on to say that matters would be easier if they are able to get the authorities to run and a criminal investigation, rather than keeping it as a purely civil matter.
"In any event, as one of millions who has a LinkedIn profile, I will be watching with unusual interest."
Mike Small, an ISACA Security Advisory Group member and analyst with Kuppinger Cole, said that the hackers likely used cloud computing facilities to launch the attacks, and said that such services are cheap to set up, easy to use and potentially very powerful.
"Usually they only need a credit card to get access. They are likely to be as attractive to hackers and cyber criminals as they are to legitimate users," he said, adding that cloud services have extensive controls in place to prevent their use for illegitimate or illegal purposes.
The cloud service contracts normally specifically forbid this activity, he noted, adding that cybercriminals would need to find a way to cloak their identity when using a public cloud service in this way.
“This incident illustrates the difficulties faced in a world where the law and law enforcement is geographically organised but criminal activities using the Internet cut across these boundaries."