Professional social networking site LinkedIn has proven to be a valuable business tool, bringing together professionals from all over the world.
But few corporations grasp the security risk injudicious use of LinkedIn represents. The main problem is not with the LinkedIn website’s own digital security but with a widespread corporate ignorance of the way the organised criminal gangs (OCGs) who make billions, sometimes tens of billions of dollars, of dollars from cyber crime.
The hackers are now using well-known brands names such as Standard Chartered Bank on LinkedIn to attract senior executives to divulge information that they can use. It’s all very plausible unless you know what to look for.
Using a process called ‘social engineering’, OCGs assemble as much information via the Internet as they can on a target subject within an organisation that has been identified as likely prey. LinkedIn is proving a rich vein for OCGs. Executives have become too cavalier about posting details of their movements and personal information on LinkedIn. KCS’ own experience shows that 90 per cent of passwords take the form of the name of a sports team, a pet or other personal details. But even if the target has been careful to use a more complex password, his or her organisation’s most sensitive data might still be at risk. For example, details of business trip dates combined with personal details such as a recent illness or family names can be all an OCG needs to socially engineer a ‘Friday Afternoon’ attack.
Typically, this would take the form of an email, phone call or possibly a combination of the two in order to convince someone at the company that an important executive is making an urgent request. Sometimes, this is a straightforward scam where the end goal is a money transfer to a third party account.
But a quick financial hit is by no means the worst occurrence. Sometimes, the request may not be for cash but for passwords or access to sensitive data. This data may then be ransomed back to the company for a huge non-negotiable fee, sold to competitors or simply put up for sale on the Dark Web. In this scenario, the company may remain blissfully unaware it has been hacked for months or even years.
A recent example is a cyber attack hitting US health insurer Excellus BlueCross BlueShield that exposed personal, financial and medical information of over 10 million people. Recent evidence now shows the initial hack of the Excellus-Lifetime systems occurred in December 2013 but went undiscovered by the companies’ IT staff for some time.
The security industry on this side of the Atlantic is now asking how long it will before we see the same effective attacks hitting the healthcare industry and the Local Councils here? Neither are adequately prepared or able to cope at this time.
So far, in the UK this combination of psychological and technological techniques to access personal information is mainly being used to target law firms. The reason is thought to be that many law firms are hierarchical and if a senior partner emails the finance department to ask for a money transfer it generally has to be done swiftly and without question.
But this does not mean that organisations working in sectors other than law or healthcare have any room for complacency. OCGs have a tendency to target what they see as “low-hanging fruit” first, before adapting their new offensive strategies to those organisations which have sensitive data and security systems that can be breached fairly easily. There is, therefore, little doubt that companies working in other sectors are probably already being targeted by OCGs.
As with the “Friday Afternoon” attacks taking place on banks on legal firms, social engineering will play a crucial part in future cyber attacks on a wide spectrum of industries and businesses.
Aside from discreet social engineering, LinkedIn also offers other opportunities for the OCGs. KCS’ own research shows that “false flag” profiles can be used to great effect. These are essentially fake identities built around the fictional profile of an attractive member of either sex. These are designed to tempt the target to connect with the fake profile. Once this is done, the OCG then not only has access to all the target’s business contacts but also to their other social networking profiles such as Facebook. Additional personal information gleaned from Facebook can be used to gain more personal information on the subject.
KCS conducted a simple test on how effective this strategy is by subjecting half the attendees at a cyber security conference within the legal sector to a “false flag” profile of an attractive young woman. Over 50 per cent of those targeted responded by connecting with fictional lady, with two men actually inviting “her” on a dinner date.
Had the “false flag” been posted on LinkedIn by an OCG then anyone foolish enough to arrange a dinner date might find themselves blackmailed into revealing company passwords etc. Or they might not notice that during the course of the evening their new companion had taken their phone for a few minutes and hacked into it using a $50 device available on the Internet known as a “Rubber Ducky”, thereby compromising the unfortunate executive’s entire corporate IT network.