Unknown Connections On LinkedIn Can Compromise Enterprise Security
Intel Security says employees are not being educated about the risks of adding people they don’t know on LinkedIn amid fears of spear phishing attacks
Businesses are being urged to educate employees about the risks of connecting with people they don’t know on LinkedIn, warning that cyber criminals are using social engineering to harvest information that could be used to launch a spear phishing attack.
Experts claim hackers try to construct social circles in the hope of attracting more influential people, such as executives, to connect with them. This can result in more bountiful information to stage an attack aimed at compromising an enterprise network.
“When a person in a similar industry to us, or a recruiter, requests to connect on LinkedIn, it may look harmless, but hackers prey on this as a means to target senior level professionals and ultimately the corporate network,” said Raj Samani, CTO for EMEA at Intel Security.
LinkedIn security threat
“Social networking sites are a treasure trove of data used by malicious actors in order to research potential targets for attacks, not only requesting to connect with senior executives but as many junior or mid-level employees at a company as possible.
“They then target senior level execs, using their existing connections with colleagues as proof of credibility by leveraging the principle of social validation. Once these connections are in place they can launch a targeted phishing campaign. For example it could well be used as a precursor of a CEO fraud attack, a type of attack which is continuing to affect more victims and lead to even greater financial losses according to assessments by the FBI.”
Research from the security firmfound 23.9 percent of British workers have added someone they did not know on the social network, with 68.7 percent admitting they had not considered the possibility a connection might not be who they say they are.
Nearly nine tenths said their employer had never made them aware of any specific corporate policies regarding LinkedIn.
“Businesses must educate all members of staff on how to avoid common scams, including making them aware of the risks of opening unknown attachments in messages or clicking on unknown links,” added Samani. “This sounds simple but phishing scams are growing rapidly. Companies are falling tricks by cybercriminals who get in contact using details skimmed from the Internet to legitimise their own fake profile in order to better target businesses.”
LinkedIn has had its own security problems recently. Hundreds of millions of login details exposed during an attack on the site in 2012 were reportedly being touted for sale, leading the social network to reset a significant number of user passwords.
This, however, did not stop Microsoft acquiring it for £18.5 billion last week.
Are you a security guru? Try our quiz!