An employee opens an attachment from someone who claims to be a colleague in a different department.
The attachment turns out to be malicious.
The company network? Breached.
If you follow the constant news about data breaches, you read this stuff all the time. But do you ever wonder how hackers get otherwise smart, professional people to fall for their tricks? How do they know who to email? What to say to get their victim to fall prey? Where do they get the information that gives them a foothold into an organization?
The answer is so simple, and just makes too much sense: LinkedIn.
Recon made easy
The first phase of any targeted hacking scheme is the reconnaissance phase – where the hacker gathers information about the company, employees, their job titles, email addressses, etc. What better place to start than LinkedIn?
“LinkedIn is a treasure trove of easily accessible personal information and company IT data,” writes penetration tester Trevor Christiansen. “Unbeknownst to most of the employees who post their information on LinkedIn, any hacker looking to wreak havoc on a company’s highly sensitive, business-critical data could find his or her point of entry using this ubiquitous business networking forum.”
White hat hackers (the good guys) like Christiansen use LinkedIn to gather information too, albeit with a different end purpose in mind – to test and improve an organization’s security. F-Secure CEO Christian Fredrikson described two such exercises performed by F-Secure’s ethical hacking team in his recent keynote at CeBIT. In one exercise, the hackers targeted employees who mentioned mainframe-related info in their profiles. In the other, they targeted source code developers.
So, exactly how do hackers, good and bad, use LinkedIn to gain a foothold into company they intend to hack?
Our own white hat hacker, Knud in F-Secure’s Cyber Security Services team, describes a common scenario.
“You just search for employees working at a target company via the standard LinkedIn interface,” he says. “Now, armed with a list of names, you can start Googling them until you find a company email address.” Now, he says, you have the email format used in the company. For example, firstname.lastname@example.org.
“Shoot off an email to a few random employees asking something stupid like ‘Bob, is that you? Long time no see,'” he continues. “With a bit of luck, someone will reply and you’ll have the corporate signature. With the corporate signature, plus names, positions and job descriptions people helpfully put on LinkedIn, you can start spoofing internal emails.”
Building rapport for social engineering
Knud points out that the more information people share in their profiles, the easier it is to build rapport.
“For example, someone lists their graphic design skills. So you send an email that reads, ‘Due to your experience with icon design and great layout skills, I wonder if you have time to take a quick look at something we are working on in <other department>; see attached (malicious) document and get back to me.”
To gain even more information, a hacker can create a fake profile and then connect with the employee. This gives them greater access to contact details and the person’s network.
Combined with information gleaned from Facebook or other social networks, such as interests and hobbies, hackers can get a pretty full picture of the employee they intend to target, enabling them to sharpen their spear even more.
The best defense
So what’s an employee to do, scrub your profile of all but the most basic info? Decline to list your employer? Such suggestions would seem to defeat the purpose of LinkedIn, where profile information can hopefully lead to networking opportunities. Companies in turn appreciate the promotion they get via their employees on LinkedIn.
Luckily, F-Secure Security Advisor Sean Sullivan doesn’t believe self-censorship the answer. “It’s not really the problem of the employee to limit what they write on LinkedIn,” he says. “A security-minded organization should have a policy that states that employees should be mindful.”
Indeed, the best weapon against these types of attacks is employee awareness. Your information may be available on LinkedIn, but if you’re are aware of the ways hackers exploit that info, you’ll be less likely to fall for tricks. Employer-sponsored education on social engineering tactics would help employees learn to be suspicious of any communication that seems even the slightest bit off.
Hackers may love LinkedIn, but only as long as it gets them where they want to be. To head them off, awareness is key.
Image courtesy of Mambembe Arts & Crafts, flickr.com