New cybersecurity vulnerabilities are being discovered on a daily basis, and health IT departments are diverting resources to plug security holes and address software risks as soon as they arise; however, it is important not to forget bugs in human hardware, which are arguably must easier for hackers to exploit.
Bugs in Human Hardware Being Exploited
Bugs in human hardware is a term often used to describe security flaws in human personalities, which can be exploited by criminals looking to gain access to data to commit fraud, sabotage networks and steal sensitive information. The perpetrators of these crimes, otherwise known as confidence tricksters, are using a variety of methods to gain access to usernames and passwords, security keys and other highly sensitive data.
Rather than using a phishing email, which requires the user to click on a link or open a malware-infected attachment, social engineering techniques are used, which tend to be subtler, generally require greater investment on the part of the perpetrator, and take longer for the end goal to be achieved.
A new case of social engineering has recently been uncovered by researchers from Dell SecureWorks Counter Threat Unit, involving the social networking website LinkedIn. Criminals are now using the site to take advantage of individuals’ need or desire to connect with others.
While friend requests from apparent strangers on Facebook are likely to be rejected, the same cannot be said of LinkedIn. Individuals create LinkedIn in profiles for many reasons; however, one of the main uses of the site is for business networking and finding new employers or new customers. Users are therefore much more likely to connect with an individual they do not know; a fact not lost on online criminals. IT departments should take steps to reduce the potential for bugs in human hardware to be exploited.
Criminals Faking LinkedIn Profiles to Gain Information on Potential Targets
In this case, criminals have put a considerable amount of effort into developing fake LinkedIn profiles, each containing detailed education and work histories. Linked to those profiles were supporting profiles, giving the impression that the accounts were legitimate. The fake accounts were created for fictitious employees of well-known organizations. Many of the fake individuals claimed to be recruiters for companies such as Airbus, Doosan, RHB Bank (Malaysia) and a number of petrochemical companies. The accounts were then used to connect with targets and fool them into believing they were being headhunted. Individuals targeted by this particular network were mostly located in the Middle East, North Africa, and South Asia.
In total, 25 fake profiles were discovered by Dell, which were linked to 204 legitimate profiles according to the researchers. Those connections mainly involving individuals working in telecommunications, the government, and defense. Some accounts had as many as 500 connections, suggesting they were legitimate. According to Dell’s researchers, “The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas.”
However, the aim of the criminals was to fool users into clicking on links to malware-infected websites and gain sensitive information for spear phishing campaigns. Spear phishing is not confined to email, with LinkedIn and other social networking sites often used by criminals to obtain sensitive information.
This discovery should serve as a warning to all social networking site users to take care and not simply connect with an individual that is unknown, without at least first taking some steps to confirm an individual’s identity. Before connecting, it is a wise precaution to contact the individual’s current company to make sure the individual is real, or at least to check the individual’s connections and try to verify their identity. In many cases the fake profiles were connected to individuals without photographs and scant information on their education and work histories. According to the researchers, even if the person is known to one of the target’s connections, it doesn’t mean that person can be trusted.