Seguridad en LinkedIn
How LinkedIn can be used by a hacker, phisher, and for social engineering
- Phishing - As part of your network, a LinkedIn contact can see your email address (if you made that available). Since LinkedIn helps to create an established business connection, you may be more apt to open a phishing email. A criminal can better tailor the phishing email if they know your profile. Knowing what you do for a living, what type of job you have, etc. makes it easier to create a legit-looking phishing email.
Phishing methods can include:
- Personas que te piden dinero y que no conoces en persona. Esto puede incluir a personas que te piden que les envíes dinero, criptomonedas o tarjetas de regalo para recibir un préstamo, un premio u otras ganancias.
- Los anuncios de trabajo que suenan demasiado bien para ser verdad o que le piden que pague algo por adelantado. Estas oportunidades pueden incluir puestos de comprador misterioso, suplantador de empresa o asistente personal.
- Los mensajes o gestos románticos, que no son apropiados en nuestra plataforma, pueden ser indicadores de un posible intento de fraude. Esto puede incluir a personas que utilizan cuentas falsas con el fin de desarrollar una relación personal con la intención de fomentar las solicitudes financieras.
- Compromised Data - In 2012, LinkedIn lost the email addresses and passwords for more than 100 million users. This data is still readily available on the dark web and is a goldmine of credentials because a lot of people are lazy and either don't know or don't care about good password hygiene. In fact, reused credentials are one of the most common causes of data breaches.
- Ver todos los empleados - Una función como "ver todos los empleados" puede ayudar a un delincuente a identificar objetivos. En cuanto a lo que hacen con esta información, un atacante podría utilizar su conocimiento de la estructura de una empresa para hacerse pasar por el jefe o colega de alguien y engañarlo para que comparta información confidencial o haga clic en un enlace malicioso.
- Viewing all connections - By reviewing an organization's many LinkedIn connections, a hacker can start to build a detailed picture of an organization's suppliers, technology providers and other third-party services. This can help them identify potential entry points within their target's technology stack e.g. their CRM, HR or payroll systems. An understanding of which technologies are in use can also help a hacker understand what security systems may be in place and, more importantly, which systems are vulnerable.
Furthermore, imagine the scenario in which an attacker cannot infiltrate their target directly. If resourceful enough, they may try to use LinkedIn to work out which suppliers and partners they use, in a bid to infiltrate them instead. It's easy to imagine a bank's marketing agency having more lax security than the bank itself, and that's exactly why they may end up an unwitting entry point to their client's network.
- New job posts offer insight into technology - When hiring for technical roles, particularly IT or system admin positions, LinkedIn job posts can reveal a lot of valuable data. This can include the technology underpinning critical business operations, for instance, which databases, operating systems, storage, and scripting languages are in use across the organization. For hackers, this is priceless information that can help them mount a successful attack.
Job ads can also reveal details of upcoming IT projects such as infrastructure upgrades e.g. moving to a cloud service provider. These kinds of projects may be a good entry point since security processes may be less mature and a new hacker infiltrating the network may be harder to spot while the organization still hasn't created a baseline of normal activity.
- Utilizar la curiosidad para propagar el malware - Tal vez el mayor activo de LinkedIn sea su capacidad para aprovechar la curiosidad de sus usuarios, pero los hackers también pueden utilizar esto en su beneficio. Saben que si un desconocido visita el perfil de alguien, lo primero que probablemente hará será hacer clic en su perfil en un intento de averiguar el motivo. Por ejemplo, un hacker puede crear un perfil falso y ver los perfiles de varios objetivos. Podría colocar un enlace malicioso en su perfil con la esperanza de que un objetivo curioso haga clic en él, momento en el que LinkedIn se convierte en un mecanismo de entrega de malware.
- Influencing Network and Reputation: A hacker might impersonate a trusted connection to spread misinformation or convince the victim's network to undertake certain actions. This could have harmful repercussions, damaging both personal and professional reputations. Such manipulation could even be used to negatively impact a company's stock price, cause internal disruption, or sway the opinion of shareholders.
- Misuse of InMail: LinkedIn's private messaging system, InMail, can be misused for sending phishing links or malicious files. Since it's a direct communication line, hackers could take advantage of this to trick users into revealing sensitive information. Also, people might be more inclined to trust a link sent via LinkedIn as compared to one sent through a less familiar channel.
- Endorsements and Recommendations: Fake endorsements and recommendations can be used to build up a fraudulent profile's credibility. By having a well-constructed profile complete with endorsements, a hacker could gain trust more easily, which may lead to successful phishing or social engineering attacks.
- "Premium" Impersonation: Some hackers might go a step further and pay for a LinkedIn Premium account. The 'Premium' badge could give an additional layer of credibility to the hacker's profile, making their phishing or social engineering attacks more effective.
- Data Harvesting for Personalized Attacks: A more subtle way that LinkedIn can be used is for "data harvesting". This refers to the collection of information from a person's profile, such as their interests, job history, or connections. This information can be used to create highly personalized and convincing phishing or spear phishing attacks.
Precauciones para su seguridad
LinkedIn users need to understand the value of their data, be more guarded when posting and viewing content online, and always be aware of the cybersecurity threat. Hackers are out there; they are smart, organized, and resourceful, and they won't think twice about using a service like LinkedIn to get to their target – which could easily be you.
No aceptes conexiones de LinkedIn de:
- People you don't know or know of: You should avoid accepting connection requests from people you have no familiarity with. If you don't recognize the person or their professional credentials, it's safer not to engage, as they may be spammers or malicious actors. It's particularly advisable to avoid connecting with people from industries or regions completely unrelated to your professional sphere.
- People who you don't at least have a second- or third-hand connection to you: On LinkedIn, a second-degree connection is a connection of your connection (i.e., a "friend of a friend"), and a third-degree connection is a connection of a second-degree connection. If someone isn't at least a second or third-degree connection, it suggests you don't share any mutual connections, which could indicate a higher risk. Mutual connections act as a sort of "vouching" system, as it's less likely (though not impossible) that a scammer or spammer would be connected to someone you trust.
- People who have no trusted connections: This point is similar to the previous one. If you get a request from someone who is not connected to any individuals you trust or recognize, it's safer to ignore it. Trusted connections are usually colleagues, friends, or industry professionals whose judgment you trust. If the requester is not connected to anyone in your trusted network, it's more likely they could be a malicious actor.
- People with very few connections: LinkedIn is a professional networking platform, and most genuine users will have a decent number of connections (usually 100 or more) built up over time. If you receive a request from someone with only a few connections, this could be a red flag. It's possible that this is a new account, but it could also be a fake profile. Hackers or spammers often create fake accounts and send out mass connection requests, and these accounts will typically have very few connections.
- Incomplete Profiles: These might not necessarily be dangerous, but profiles lacking a profile picture, details about their current position, or other basic information could indicate a spam or fake account. Be wary if they have no visible activity such as likes, comments, or posts.
- Profiles with Multiple Spelling or Grammar Errors: While everyone can make occasional typos, a profile riddled with errors might be a red flag. This could potentially be a hastily created account with the intention of spamming or scamming.
- Profiles with Generic Job Titles: Be cautious of profiles with overly generic job titles such as "freelancer" or "self-employed," especially if the rest of the profile lacks specific details. These could be bots or people trying to appear legitimate.
- Connections Requesting Confidential Information: No legitimate LinkedIn connection should ever ask you to disclose confidential information, such as credit card details, bank account numbers, social security numbers, etc. Do not accept or maintain connections that request this type of information.
- Profiles with a Rapidly Changing Job History: If a profile shows the person changing jobs every few months, this could be a red flag. It's especially concerning if these job changes span across diverse fields, which might indicate that the account holder is fabricating their job history.
- Profiles that Seem Too Good to be True: If a profile seems exaggerated or too good to be true, treat it with caution. Examples could include an unusually high-ranking position for a young age, endorsements from extremely high-profile individuals, or credentials from prestigious institutions without corresponding details or evidence.
- Unsolicited Contact with Job Offers: Be wary of unsolicited connection requests that immediately follow up with a job offer, especially if the offer seems too good to be true. Scammers may use this approach to convince you to click on a malicious link or provide personal information.
Cómo investigar en LinkedIn
While some of these things may also be a result of a poorly written profile rather than a fake one, you are looking for patterns. If you see any red flags, then you will want to use their content and network to verify further.
- As a part of this profile test, LinkedIn created an “About this profile.” This shows you “when a profile was created and last updated” and “whether the member has verified a phone number and/or work email associated with their account.” Be sure to check this out as a part of your screening process.
- Take a second to ensure that the LinkedIn profile really belongs to the person it says it does. Check to see if you have mutual connections on LinkedIn and, if you do, reach out to those individuals to verify.
- En caso de duda, utiliza la función "Buscar por imagen" de Google para ver si la foto es de la persona que dice ser. A menudo los perfiles falsos presentan fotos de anuncios o de modelos.
- Compruebe periódicamente que nadie ha abierto una cuenta a su nombre, o con una variante común de su nombre.
- Si ves perfiles, mensajes o contenidos que parezcan sospechosos, infórmalo a LinkedIn.
Content TestProfiles are created once, but content is harder and more time intensive to fake. Scroll through their recent posts and history to look for these dead giveaways.
- Are they posting regularly?
- Do they write a post with their content, or do they only share links without any further information?
- Do their posts have responses and do they engage with those responses?
- Are there any other comments they have written on other people’s posts?
- Have they sent you information with overly personal or formal language? (Such as “Hello my dear” or “Dear Sir or Ma’am”)
Network TestThe final area you can check on a LinkedIn profile is to check out their network.
- Do they have under 100 total connections?
- Does the profile have any followers in addition to connections?
- Are there some LinkedIn recommendations written, and do they seem genuine and relevant to the rest of the profile?
- Do you have any mutual shared connections?
Protecting Your Account and IdentitySpotting the fakes is a good first step, but you also want to protect your data and information. Your online reputation and connections are valuable business assets and should be treated as such.
If you are not already, make sure that you are regularly downloading your data and information from LinkedIn. This can help you in case you do ever have a security breach. But there are things you can do to keep that from happening in the first place.
- Use a strong password that is unique to LinkedIn.
- Regularly review your privacy and security settings.
- Turn on two-factor authentication for your logins.
- Periodically do a reverse image search with your own profile picture to see if it shows up in places it shouldn’t.
- Set up a Google Alert for your name.
- Check the number of active logins to ensure your account isn’t being accessed by a third party without your permission.
- Make it a quarterly habit to review your profile and update it.
- Keep your own account active. When you don’t, you could look like a bot.
Cómo denunciar los abusos
- Look for the three dots in the upper right corner, click report, and select the best option that describes your concerns. You can also contact LinkedIn's customer service team directly through the Help Center.