How Hackers Use LinkedIn to Scam
Hackers love LinkedIn because it links them in—straight through the portal of the targeted company. Geez, how much easier could this be, what with all the publically-exposed e-mail addresses of key players (and also worker bees) in big companies that someone wants to hack.
An article on blog.sungardas.com was written by a white-hatter (his job is to try to hack his clients’ systems so that they know how to make them more impenetrable to the bad guys). The author says he’d make a beeline to LinkedIn if he became a black-hatter.
In addition to all of those revealed e-mail addresses, the hacker could also learn (without hacking, of course) what a business’s e-mail structure is. He can then compile a list of employees for his social engineering attacks. (Can you just see him watering at the mouth over this—like putting a sizzling steak in front of a dog.)
A phishing campaign could trick the targets into giving up crucial information—essentially handing the company key to the hacker. The crook, however, knows better than to pull this stunt on IT employees. But fertile territory includes employees in the marketing, accounting and customer service departments.
Maybe you’ve read that every professional these days absolutely should have a LinkedIn account. You can bet that every hacker agrees!
Companies need to come up with a way to prevent hackers from sneaking into their network via that bastion of essentiality known as LinkedIn.
The penetration-tester, in his article recommends that businesses do the following:
Social engineering training.
Workers must be aggressively trained in how to sniff out a phishy-smelling e-mail. No corners should be cut with this training program, which should include ongoing staged attacks.
A statement clarifying communication about security information.
To help prevent employees from giving out sensitive information to the wrong people, the company must figure out how communication will be conducted, then get it down on paper. For example, “E-mails from our company will never ask you to reveal your username and password.”
Definitive reporting process for suspicious activity.
Employees need to have, on paper again, specific instructions in how to report suspicious activity, such as a questionable e-mail. These instructions should be simple and to the point.