How LinkedIn can be used by a hacker, phisher and for social engineering
- Phishing - As part of your network, a LinkedIn contact can see your email address (if you made that available). Since LinkedIn helps to create an established business connection, you may be more apt to open a phishing email. A criminal can better tailor the phishing email if they know your profile. Knowing what you do for a living, what type of job you have, etc. makes it easier to create a legit looking phishing email.
- Compromised Data - In 2012, LinkedIn lost the email addresses and passwords for more than 100 million users. This data is still readily available on the dark web and is a goldmine of credentials because a lot of people are lazy and either don't know or don't care about good password hygiene. In fact, reused credentials are one of the most common causes behind data breaches.
- Viewing all employees - A feature like 'see all employees' can help a criminal identify targets. In terms of what they do with this information, an attacker might use their knowledge of a company's structure to pose as someone's boss or colleague and trick them into sharing confidential information or clicking a malicious link.
- Viewing all connections - By reviewing an organization's many LinkedIn connections, a hacker can start to build a detailed picture of an organization's suppliers, technology providers and other third party services. This can help them identify potential entry points within their target's technology stack e.g. their CRM, HR or payroll systems. An understanding of which technologies are in use can also help a hacker understand what security systems may be in place and, more importantly, which systems are vulnerable.
Furthermore, imagine the scenario in which an attacker cannot infiltrate their target directly. If resourceful enough, they may try to use LinkedIn to work out which suppliers and partners they use, in a bid to infiltrate them instead. It's easy to imagine a bank's marketing agency having more lax security than the bank itself, and that's exactly why they may end up an unwitting entry point to their client's network.
- New job posts offer insight into technology - When hiring technical roles, particularly IT or system admin positions, LinkedIn job posts can reveal a lot of valuable data. This can include the technology underpinning critical business operations, for instance which databases, operating systems, storage and scripting languages are in use across the organization. For hackers, this is priceless information that can help them mount a successful attack.
Job ads can also reveal details of upcoming IT projects such as infrastructure upgrades e.g. moving to a cloud service provider. These kinds of projects may be a good entry point since security processes may be less mature and a new hacker infiltrating the network may be harder to spot while the organization still hasn't created a baseline of normal activity.
- Using curiosity to spread malware - Perhaps LinkedIn's greatest asset is its ability to tap into the curiosity of its users, but hackers can use this to their advantage too. They know that if a stranger visits someone's profile, the first thing they are likely to do is to click on their profile in an attempt to find out why. For instance, a hacker may create a fake profile and view the profiles of several targets. They could place a malicious link on their profile hoping that it is clicked by a curious target, at which point LinkedIn is effectively a delivery mechanism for malware.
Precautions to keep you safer
LinkedIn users need to understand the value of their data, be more guarded when posting and viewing content online, and always be aware of the cybersecurity threat. Hackers are out there; they are smart, organized and resourceful, and they won't think twice about using a service like LinkedIn to get to their target – which could easily be you.
Don't accept LinkedIn connections from:
- people you don't know or know of.
- people who you don't at least have a second - or third-hand connection to you.
- people who have no trusted trusted connections.
- people with very few connections.
How to research LinkedIn
- Take a second to insure that the LinkedIn profile really belongs to the person it says it does. Check to see if you have mutual connections on LinkedIn and, if you do, reach out to those individuals to verify.
- When in doubt, use Google's “Search By Image” feature to see if the photo is of the person it says it is. Often fake profiles feature photos from ads or of models.
- Check periodically to make sure no one's opened an account in your name, or in a common variant on your name.
- If you see profiles, messages or content this looks suspicious, report it to LinkedIn.
How to report abuse
- Look for the three dots in the upper right corner, click report and select the best option that describes your concerns. You can also contact LinkedIn's customer service team directly through the Help Center.