A number of fake LinkedIn accounts have been used to target security researchers, F-Secure’s Sean Sullivan wrote this week.
The accounts all claim to be recruiters for security jobs and all worked at the same fictitious company; they sent requests to connect to many security researchers. About two weeks after they were created, the accounts disappeared from the site.
I read this story with interest, as I myself had ‘fallen’ for one of these accounts. I put the inverted commas there deliberately, as I would fall for the scam again next time.
The bar for me accepting a LinkedIn connection request is very low: if I think I know you, or if it looks like you work in the same industry, I accept your request. I treat LinkedIn the same as I treat Twitter, Facebook or my blog: I assume everything I write there to be public, even if some of it may be only visible to a select group of people.
LinkedIn doesn’t provide me with a way to authenticate those that ask to be connected, so restricting connections to those I know would provide me with a rather worrying false sense of security.
In some cases, I may have a second channel to verify the authenticity of the request, but that is often cumbersome and doesn’t always work. And even if I could be sure my contacts were who they claimed to be, I still would be unlikely to use a third-party system like LinkedIn to share sensitive information.
Other people have pointed out that this was probably an experiment by security researchers who may present the results on social engineering security researchers at some conference.
They wouldn’t be the first ones to do so: Sabina Datcu presented similar kind of research at three successive Virus Bulletin conferences in 2011 to 2013, though she did go a step further and engaged in conversations with the targets and managed to get hold of some information that seemed at least mildly sensitive. I have seen no evidence that this happened here.
No one is immune to social engineering attacks and it would be a big mistake to assume you are. For me personally, I hope that years of working in security has put the bar high enough to make such attacks not worth the effort.
I can never be sure though. After all, because I work in security, my threat model includes other security researchers who can afford to spend quite a bit of time, just to get an exciting conference presentation.