I have a confession to make. I created a fake profile on LinkedIn and we are probably connected. Curious after receiving several obvious and some not so obvious fake profiles, I did a bit of experimenting creating my own.
Creating the Back Story
Creating a believable backstory, complete with education, degree, work history, groups, certifications is the first step. I found that being a female had a higher response rate than male. I started by listing several real companies as previous employers, then followed their employees, many followed me back, some even asking me how I was doing since I left their company.
When creating my profiles I realized that one of the first things some will do to test if a profile is fake is to check the image through a reverse Google image search to see if it matches stock photos, or is tied to another name. However an easy work around is to flip the image, try it, it won’t match. If my targets can’t find the image I used it helped to develop false confidence that the account is real.
Then I started following others they were connected to. I started getting invitations to social events and even a few job offers, over time the profile had its own life, with people inviting me to connect with them.
Trust Me I’m A Recruiter
Listing my position as a technical recruiter made it easy to get people to give information about themselves and their work. The prospect of a new position, or a future position with higher pay provides a good channel to establish a level of trust, as they want something from you, making it easier to request something from them.
I did not request information or directly communicate with anyone, I simply connected. However the amount of information people would give a fake account, even without direct request for it was surprising. I could easily identify security professionals in Fortune 500 companies who were not happy with their jobs. I also received many invitations from many to meet face-to-face to discuss career opportunities and network.
Who Do You Trust?
LinkedIn is a great tool for business, however it can also be abused, something to consider when blindly accepting connections is what information does this open up about you? Could being connected to this person somehow serve as an endorsement to their validity to your other connections?
If used en masse to target a specific company, LinkedIn can easily be a data mining tool to for attackers to recruit insiders who could give up information unknowingly to a competitor, or even fully enlist them to their nefarious cause.
Think you can guess who I am?
Upcoming Webinar: Insider Threat Kill Chain: Detecting Human Indicators of Compromise
- Learn how human resources, legal and IT can work together to help prevent insider threats before they become a problem
- Learn to identify risk indicators with employee attitudes and behavior and how it correlates to their patterns of activity on your network.
- Discover how you can use log intelligence and security analytics to automate actions and alerts and rapid reporting and forensics.
- Date: May 08, 2014
- Time: 11:00 AM Pacific/2:00 PM Eastern
- Duration: One Hour
- Your Biggest Threats are Coming from Inside
- A Forensics Tale: Confronting the Insider Threat
- Insider Threats are a Big Problem – And That Shouldn’t Surprise You
- Tales From the Crypto: Case of the Malicious IT Contractor
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].