Just say no to LinkedIn requests from strangers; some may be phishing scams
Just say no to LinkedIn requests from strangers; some may be phishing scams:- SAN FRANCISCO – Most of us have done it: eager to build professional leads that might open a door to the next job or sales deal, we’ve accept that LinkedIn request from an unknown contact.
Wrong move.
A go-to staple for professionals, LinkedIn can pose dangers to unsuspecting users because people have come to have confidence in it and by extension, implicit faith that all accounts on the platform are legitimate.
Enter the hackers. Cybersecurity firms say criminals have figured out how to subvert the network by posing as authentic, boring, cubicle-office dwellers.
“It’s got trust built into it, and hackers leverage that trust to their own nefarious purposes,” said Allison Wikoff, a senior researcher with the counter threat unit at SecureWorks, an Atlanta-based security company.
Last month hackers stole and posted over three terabytes of files from the music video site Vevo — a breach that began with a single phishing attack through LinkedIn. A group called Our Mine claimed responsibility.
Once part of a user’s network, a LinkedIn contact can see another’s email address (if the user has made that available). He or she has also established a personal connection that makes it more likely the target will open an email that contains malware.
“They can really tailor the phishing email to the person’s profile, based on what they do for a living, what type of job they have, all of which makes it so much easier to trick them into clicking a link,” Wikoff said.
The social network, wary of losing its credibility, has tried to stamp out these hoax users and warn its 500 million users to do the same.
“The most important thing LinkedIn members can do to protect themselves is to only accept requests from people they know or recommended contacts from a trusted connection,” said Paul Rockwell, head of LinkedIn’s trust and safety unit.
The company also has an entire team dedicated to finding and rooting out fake accounts, which it says comprise a tiny portion of its users, and offers a website to report fake or co-opted accounts.
Acquired by Microsoft in 2016, LinkedIn has become the de facto repository of most people’s occupational lives, a place where their resume lives and where the world — and potential employers — can find out about their professional abilities.
That’s why you should investigate before you click “Accept,” said J.D. Gershbein, CEO of Owlish Communications, a Chicago-based company that helps professionals hone their LinkedIn profiles.
He himself only accepts about one out of every five invitations that come his way.
Be especially careful of profiles that seem thin on facts or too good to be true. If you find one with no head shot or a person with fashion-model looks and a short or nonexistent work history, be cautious. Gershbein say’s he’s seen those sorts of invitations far too many times.
Sometimes attackers are simply trying to harvest email addresses to send spam to. But as in the Vevo case, LinkedIn can also be used as a way to lure the unwary into clicking on phishing emails.
Once the recipient clicks on a link or opens a document that contains malware, the malicious software infiltrates their computer, compromising everything on it and possibly any networks it connects to.
Sometimes these are tied to industrial espionage or even state-sponsored attacks.
Wikoff’s team at SecureWorks spent a year tracking a group it dubbed Cobalt Gypsy, which had created a fake LinkedIn profile for a nonexistent London-based photographer named “Mia Ash.” The group targeted telecommunications, government, defense, oil, and financial services organizations with links to the Middle East, SecureWorks says. It believes the group was associated with Iranian government-directed cyber operations.
The Mia Ash persona used a photo of an attractive young woman, an actual photographer in Romania with a different name, and the mainly male victims it targeted all too often agreed to connect with her. Once they did, “she” talked them into chatting on Facebook and other venues, ending in a request to fill out an online survey about travel that she sent them.
Some users wonder why it would be worth anyone’s time to target them. But the stakes are low for attackers, say experts.
“It’s not like robbing a bank, where you go to jail. The majority of them may fail but it doesn’t cost much. If they run 100 attempts and only two work, it’s a great success rate,” said Joseph Steinberg, with SecureMySocial, a firm that works with companies on problems associated with employees use of social media.
Source:- https://www.usatoday.com/story/tech/2017/10/06/just-say-no-linkedin-requests-strangers-some-may-phishing-scams/723528001/
