In a blog post published Dec 2, 2015, Satnam Narang, Symantec’s senior security response manager, announced the security company has uncovered dozens of LinkedIn profiles that could be used to launch “spear phishing” attacks against high-profile professionals.
The fakes followed the same pattern as those described below, only instead of pretending to be tech journalists, they posed as recruiters offering potential jobs to unsuspecting victims. Once the connection is made, the fakers could obtain their targets’ contact information and use that to send them malware.
The LinkedIn request seemed ordinary enough. A technology journalist named “Jenifer Lawrence” had asked to connect to me. I clicked OK without thinking. Then I took a closer look at her profile.
Meet the other J.Law — posing on LinkedIn as a technology journalist who doesn’t know how to use a spelling or grammar checker.
There was something a little off about it. For one, there was her name — like the famous actress but oddly spelled. Her profile picture looked a lot like Angelina Jolie. The publication she claimed to write for didn’t exist. And while her work history was impressive and grammatically correct, the brief biography below her name was written in semi-broken English.
That’s because “Jenifer” was a fake, one of an unknown number of fake profiles plaguing LinkedIn, the social network for job seekers that claims hundreds of millions of members.
Still, “Jenifer” was convincing enough to persuade more than 500 others, including several well-known tech journalists, to add her to their LinkedIn connections. In fact, “Jenifer” was part of a nest of fakes whose profiles shared similar characteristics: attractive women with job histories copied from actual working journalists, coupled with odd misspellings.
“Sarah,” a friend of “Jenifer,” is one of a nest of fake journalist profiles we found on LinkedIn. Note the creative spelling of “Brockton.”
Fake profiles are hardly unique to LinkedIn. They’re routinely used to boost Twitter follower counts, promote Facebook pages, and entice you to sign up for dating sites by making it seem like attractive people are interested in you.
But unlike those others, fake LinkedIn profiles are much more likely to be used by criminals and hackers to infect your computer, steal your personal information, or compromise your corporate network. And it’s a problem that appears to be getting worse.
“LinkedIn is the perfect entry point for any scammer trying to gain access to your network,” Narang said in an interview with Yahoo Tech. “Once you’re connected, they might send you an email saying, ‘Check out this great article.’ Once you click the link or open the attachment, you’re infected.”
What makes LinkedIn more dangerous than other social networks is the amount of trust most people put in the site’s profiles, especially those that have a lot of connections and endorsements, says Shaun Murphy, CEO of PrivateGiant, a startup developing a privacy-enhanced messaging and file-sharing app called Sndr. That’s why scammers spend so much time connecting real people to their fake accounts.
“It’s all about appearing credible,” he says. “If someone claiming to be Bill Gates reached out to you and said, ‘Click here to join my elite group,’ you’re much more likely to believe it’s really him if he has 10,000 followers instead of just two.”
Iranian hackers formed a sophisticated network of primary (green) and secondary (gray) LinkedIn accounts and created connections among them. (Image: Dell Secureworks)
The use of LinkedIn fakes as a method of attack seems to be gaining in popularity. In October, Dell Computer’s Counter Threat Unit identified a nest of 25 bogus LinkedIn profiles it believes were created by a group of Iranian hackers. A month previous, security firm F-Secure uncovered a cohort of LinkedIn fakes targeting security researchers.
Fake LinkedIn profiles are a serious problem. How seriously LinkedIn is taking the problem, though, is an open question. When asked, a company spokesperson provided this statement:
We investigate suspected violations of our Terms of Service, including the creation of false profiles, and take immediate action when violations are uncovered. We have a number of measures in place to confirm authenticity of profiles and restrict or remove those that are fake. We encourage members to utilize our Help Center to report inaccurate profiles and specific profile content to LinkedIn.
LinkedIn declined to provide details about how it finds and identifies fake profiles or any estimates as to how many of the site’s more than 400 million accounts are bogus.
Sometimes LinkedIn’s algorithms uncover the fakes before the site’s security team does.
I first reported the fake “Jenifer Lawrence” to LinkedIn in April, to no effect: The account remained live on the site for months, as did those of her faux companions. When contacted again via media channels in September, LinkedIn removed the false “Jenifer Lawrence” account, as well as some of the other fakes linked to her.
But LinkedIn didn’t find all of them. The following fake account was still live at press time.
“Taylor” cobbled her résumé together by stealing from the LinkedIn profiles of two actual reporters.
There are also multiple questionable “Jenifer Lawrence” and “Sarah Cambell” profiles on the social network targeting different professions.
This “Jenifer” borrowed her résumé from an HR website; it’s one of a half dozen nearly identical fakes uncovered.
The way to avoid getting duped by a fake is to be highly skeptical and do a bit of legwork, says Narang. If strangers attempt to make a connection, see if they have other social networking accounts. Use reverse image-search sites like TinEye to see if they’ve borrowed someone else’s photos. Copy the unique parts of their résumés into a search engine and see if other profiles show up in the results.
Bottom line: If you’ve got a lot of LinkedIn connections, odds are good that at least some of them aren’t real. And that could be bad news for everyone.