If I wanted to hack into a particular corporate network, I would begin by visiting LinkedIn. LinkedIn is like a menu for hackers. I simply type in the name of the company network I want to break into, and I will find a list of people who work for it. In other words, I’ll have information about an endpoint; a possible doorway into the network.
Let me give you an example. Suppose I want to get into the IBM network. (I chose this completely at random.) First, I would find a list of IBM employees on LinkedIn. Next, I’d have to vet this group. I don’t want to attack someone in security. I want to find someone who has a better chance at not being so knowledgeable about cybersecurity. Sure, I may be wrong, but I have to play percentages here. Using these parameters, I found an IBM marketer (who I will not name here). She gave me a lot of information about herself including the places she used to work and people who worked with her and endorsed her.
Through a Google search, I learned that IBM has an online employee information finder and, from her LinkedIn information, I knew enough about her to use it.
Since LinkedIn had told me the geographical location where she worked, I typed in the information and received an email address and a phone number.
A reverse phone number search confirmed that this was a personal phone which means I could use the phone number to reset her password on some social media sites that use two-factor authentication (2fa). However, that was not what I wanted to do. (See this post to see how this is done.)
My priority was to find as many contacts as I could. Of course, I could use those people who worked with her and endorsed her on LinkedIn, but Google helped me find her Twitter account and a list of followers. I also found her address, interests, and her political affiliations and donations. I found her instagram account and her blogs. In short, I now had enough information to design a good spearphishing email. I could make it look like it came from one of her friends or co-workers. Since Instagram and Twitter showed me where she was and what she was recently doing, I could refer to this information in the email to make it seem even more valid. I could then attach a link to some ‘photos’ or an attachment of some photos or documents. Of course, this would get her to install malware on her computer and, hopefully, get me into the IBM network.
My biggest problem would be for IBM to allow my email onto its network through her IBM email address. This would not be a problem if I could install malware directly on her phone, since it is apparently connected to the IBM network. There are numerous ways to install malware on any phone that I already know the number for, but they are too many to outline here. Those interested can check out this article.
The LinkedIn Job Scam
If you’ve ever been down and out and looking for a job, you’ll grasp at any straw that comes along. If someone gives you a job offer that looks even close to legitimate, you’ll do whatever it takes to get it. Well, if I were a hacker, I could take advantage of this state of mind. Imagine if I could get a list of people who want jobs. Imagine what I could make them do to get a job. I could ask for personal details. I could lead them to websites to fill out forms. I could get all kinds of personal information because these are desperate people and desperate people will readily give up security concerns for subsistence.
But does LinkedIn have a database of people who are actively seeking employment? Yes, but it’s not easy to find. First of all, the job seeker has to make it clear that they are actively seeking work. To do this, they have to go to the main ‘Jobs’ page. Near the top of the page is an option to “Update career interests”. Doing this will lead you to the “Career interests” page, where you will see the following.
When you slide the button to ‘On’, recruiters will see that you are open to receiving job offers. LinkedIn arranges it so that your current employer and those connected to it do not see that you are openly seeking new employment.
The catch is that, for recruiters to see people openly seeking employment, they have to use the paid service called, LinkedIn Recruiter. However, the cost is not prohibitive (and it is occasionally offered as a free trial) and nothing would stop a dedicated hacker, especially if they have the backing of a nation-state, to set up a fake account as a recruiter and pay the small fee to have a list of good hacking targets. Others have claimed that hackers will use other job seeking websites to find names and then cross-reference them on LinkedIn as preliminary preparation for a LinkedIn-based attack.
The latest job scam uses fake recruiter profiles that look exactly like the profiles of real recruiters. The reason that they may look exactly like real profiles is because they have copied the profiles of actual recruiters. In other words, checking the profiles of the people who send you job offers won’t help. They will even use corporate logos and other information to make their profiles look legitimate. In any event, the fake recruiter will tell you that you should send them a resume or visit a site where you can fill in a form. The form will ask you for a lot of personal information which may even include your social security number. Some will ask that you send them a training or application fee. (To learn more about fake recruiter profiles, read my post, How Many of Your LinkedIn Contacts are Fake and What Do They Want From You?)
So if fake recruiters are so difficult to spot, what can you do? The Better Business Bureau suggests you ask for a phone interview or, at least, a chance to talk with them via phone. Most fake recruiters will avoid all phone contact and will make repeated excuses as to why this cannot happen. Phoning them would put you in control and they may not be able to answer any more technical questions you may ask. If you have connections in common, (and this is likely) check with these connections to see what they know about the recruiter. Don’t pay any money up front, even if the job seems legitimate. This includes any affirmation that you will be reimbursed later.
Don’t discount the motive of revenge lurking behind such offers. One victim reported that he quit his well-paid job because he was offered a better job though LinkedIn. He later found out that a former colleague was behind the scam. That said, however, most scammers are just out to get your personal information, doing so can allow them to monetize that information or use it to infiltrate a corporate network as I outlined at the beginning of this article.
Common sense often fails when that perfect job offer comes along. However, if your instincts tell you something just doesn’t sound right, be skeptical. Check out the company. Check any links. Do an image search on Google to see if the person’s profile picture isn’t used in other locations. And finally, don’t give up any personal information without a fight.