Hackers reveal how members can be tricked into giving up sensitive information.
If you use LinkedIn, you probably said the site where you work, what you do and with whom you work. This is a gold mine for hackers, who are increasingly sophisticated in using this kind of audience – but personal – information point for attacks.
This is called “spear phishing”, and it paid last year to two in particular security holes large: an attack that traps Gmail several senior government officials of the United States and an attack separate RSA SecurID authentication tokens which are used by millions.
In both cases, the attackers successfully deceived their goals in the opening of attachments that seemed to come from reliable sources or colleagues.
Investigators have not revealed how the attackers gathered information on their victims, but in the month of RSA Security Conference last, the risks of social networking sites – and LinkedIn (LNKD) in particular – were a hot topic. Dozens of presenters said that the business networking site could be a powerful tool in the toolbox of hacks.
“Entrepreneurs are using LinkedIn for research purposes, and head hunters and traders to use to recruit. Why not Chinese intelligence agents to use both the bait starts? “Said security analyst Ira Winkler, author of” spies among us. ”
Most of the discussion on the risks of LinkedIn is theoretical – Investigators say it is almost impossible to trace the original source of personal data used in the successful “social engineering” attacks. But in a case study of arrest, self-described “hacker for hire” Ryan O’Horo demonstrated how he used LinkedIn to get inside the corporate network from a client.
O’Horo is a security consultant for the management of IOActive, a professional services company that provides vulnerability tests. His client, a “high-profile company with tens of thousands of employees,” a top-notch technical safeguards.
“We needed to go to the next level,” said O’Horo its efforts against its network.
A forum hacker recent publication (Courtesy: Imperva) O’Horo created a fake account on LinkedIn, posing as an employee of the company. He stored profile with realistic details – a job history and a plausible set of skills – some more credibility-establishing flourishes as belonging to a local hockey league. According to his fictional account, O’Horo 300 connection requests sent to current employees of the company. Sixty-six were accepted.
Then O’Horo requested access to a private chat room LinkedIn company employees had created. Moderators of the group granted his request, without ever checking a company directory to confirm its identity.
“Now, I had an audience of 1000 company employees,” said O’Horo. “I posted a link to the wall of the group that was supposed to be a beta test registration page for a new project in two days I had 87 hits – .. 40% from inside the network the company ”
O’Horo was taken three days in his attack on LinkedIn: An employee who is qualified understood that it was not and blew the whistle. But he had already made his point.
“They were definitely surprised that the group existed,” said O’Horo of his client’s response to his report. “It was not a formal group of companies, there was no monitoring or policy covering this aspect of their social presence The people in charge of information security did not know he was there. “.
Hackers do not need something as fancy as the private discussion forums to take advantage of LinkedIn, though. Site users openly lot of valuable data.
Some specific technical information disclosed on the infrastructure of their employer in their profile, while others provided details that could be used for stealth attacks. For example: If you can learn the names of colleagues from a target, it is fairly easy to fake an email that appears to come from one of them.
LinkedIn says it urges users to think about information they chose to reveal. “We recommend members to connect only with people they know and trust,” said spokesman Richard George company. “All Internet users should of course be aware that there are the evil which, unfortunately, use things like phishing attacks, and that people should use common sense and the tools available to them to ensure they are not the prey. ”
The vulnerability of LinkedIn, however, is inextricably linked to its growth. The site has 150 million users, nearly twice as many as he had a year ago. As the database grows, its value increases for both its members and those wishing to exploit them.