Working in the cybersecurity industry, developing a healthy dose of paranoia is inevitable. You might still use social media networks, but you stop viewing your personal life as something to share freely with the world. Instead, you hold even the most seemingly inconsequential information as close to you as possible.
Use of LinkedIn is a great example of how being security-minded changes your outlook on digital services that others take for granted. Most organisations and professionals see it as a way of communicating with their network, making new connections, and generating new business. However, when you view LinkedIn through the eyes of a cybercriminal, you quickly see how its features, and more importantly your data, could be used against you. From reconnaissance to the actual execution of a cyberattack, LinkedIn can be a dangerous weapon in the hands of a creative and persistent hacker.
See all employees = identify targets
A feature like 'see all employees' can help prospective employees or customers better understand an organisation, its hierarchy and its processes – akin to a virtual tour of the company. To a hacker, however, this process is like browsing through a catalogue of potential targets. Even unsophisticated hackers can make a script to loop over LinkedIn to generate a big target list for phishing. While it breaks LinkedIn terms of service, that's of no concern to attackers.
In terms of what they do with this information, an attacker might use their knowledge of a company's structure to pose as someone's boss or colleague and trick them into sharing confidential information or clicking a malicious link.
See connections = case the joint
In any good heist movie, there's a classic scene in which the perpetrators case the joint, visiting their chosen target and identifying viable entry points.
By reviewing an organisation's many LinkedIn connections, a hacker can start to build a detailed picture of an organisation's suppliers, technology providers and other third party services. This can help them identify potential entry points within their target's technology stack e.g. their CRM, HR or payroll systems. An understanding of which technologies are in use can also help a hacker understand what security systems may be in place and, more importantly, which systems are vulnerable.
Furthermore, imagine the scenario in which an attacker cannot infiltrate their target directly. If resourceful enough, they may try to use LinkedIn to work out which suppliers and partners they use, in a bid to infiltrate them instead. It's easy to imagine a bank's marketing agency having more lax security than the bank itself, and that's exactly why they may end up an unwitting entry point to their client's network.
US clothing retailer, Target, found this out the hard way when its refrigeration supplier was hacked in 2013, leading to payment information relating to over 40 million of its customers being compromised.
New job posts = technology checklist
When hiring technical roles, particularly IT or system admin positions, LinkedIn job posts can reveal a lot of valuable data. This can include the technology underpinning critical business operations, for instance which databases, operating systems, storage and scripting languages are in use across the organisation. For hackers, this is priceless information that can help them mount a successful attack.
Job ads can also reveal details of upcoming IT projects such as infrastructure upgrades e.g. moving to a cloud service provider. These kinds of projects may be a good entry point since security processes may be less mature and a new hacker infiltrating the network may be harder to spot while the organisation still hasn't created a baseline of normal activity.
Returning to the scene of the crime
LinkedIn was famously hacked in 2012, in which the company lost the email addresses and passwords for more than 100 million users. This data is easy to find online and, while traditional bricks and mortar criminals may not return to the scene of the crime, cybercriminals have no such reservations.
They will use this data for what it is, a goldmine of credentials, and because a lot of people are lazy and either don't know or don't care about good password hygiene, a lot of these passwords may still be in use to secure corporate data. In fact, reused credentials are one of the most common causes behind data breaches.
Using curiosity to spread malware
Perhaps LinkedIn's greatest asset is its ability to tap into the curiosity of its users, but hackers can use this to their advantage too. They know that if a stranger visits someone's profile, the first thing they are likely to do is to click on their profile in an attempt to find out why. For instance, a hacker may create a fake profile and view the profiles of several targets. They could place a malicious link on their profile hoping that it is clicked by a curious target, at which point LinkedIn is effectively a delivery mechanism for malware.
How to respond
First and foremost, it is important to note that the methods outlined above are not hypothetical. The German Ministry of Interior recently released details of a 9-month investigation into social media use by Chinese intelligence services, in which they were using services like LinkedIn for espionage. In an effort to identify and compromise individuals and organisations, fake profiles for HR specialists, head hunters and project leads were created to dupe potential targets, which reports at the time likened to 'Nation State catfishing' – link.
In terms of practical steps, people should start by thinking why they have a LinkedIn account in the first place and assessing what information they actually need to share to get value out of the service. After which, it's a simple case of editing your profile and reviewing privacy settings to ensure that only your connections can see potentially sensitive data. For instance, do you really need to include your old school details, which may be a security question on another site? Probably not.
If used in the right way, LinkedIn can be a fantastic tool for businesses and professionals alike, and I don't want to discourage its use outright. However, LinkedIn users need to understand the value of their data, be more guarded when posting and viewing content online, and always be aware of the cybersecurity threat. Hackers are out there; they are smart, organised and resourceful, and they won't think twice about using a service like LinkedIn to get to their target – which could easily be you.
Andy Kays, Chief Technical Officer at UK-based threat detection and response specialist, Redscan.