LinkedIn phishing?

[jducoeur]

Today, as so often lately, I got a LinkedIn invitation from an old colleague who I haven't seen in a number of years. In this particular case, it was the CEO for my last company, who I had actually been looking for at one point, when I thought it might make sense for my current company to buy the old one's IP.

And it suddenly occurred to me: how the heck do I know that it's actually him? I mean, LinkedIn allows anybody to claim a particular identity -- I can say that I'm person X, formerly company Y, and they don't do much to check that. They let me send out invitations to all of my "colleagues" from that company, and those colleagues are likely to simply accept me at face value. They lend a wholly spurious imprimateur of legitimacy to me, simply because I claim to be that person. Heck, they even *encourage* me to make contact with everyone from company Y, and make it as easy as possible to do so. I haven't looked at it in detail, but it appears to me that LinkedIn's trust model is badly broken: it provides just the right combination of privacy and communication to make identity theft really easy.

So here's a prediction: if it hasn't happened already, we're going to see a quiet rise in highly targeted, very dangerous social-engineering attacks conducted via LinkedIn, and possibly other systems like it. It will be used to convince a target that the hacker is an old associate, and the resulting trust will be leveraged for criminal ends.

Given the rise of targeted phishing (one of the news stories of the past couple of months is the fall of generic spam, and the rise of targeted criminal phishing attacks aimed at C-level executives at companies), I think this one's damned near certain. The crooks aren't dumb enough to miss this opportunity, and it's going to force LinkedIn and companies like it to rethink their procedures after a few good scandals arise...

Comments

[cvirtue.livejournal.com]

I'd been rather wondering about things like that as well (not quite as up front in my brain as you have been, though.)

To start to set up your network, you need their valid email addresses, which helps, but as you say, the system hands you suggestions after that, and you don't need even that thin level of prior contact/memory.

[msmemory.livejournal.com]

Oh, but you don't need their valid email address. You can claim to be Rupert.Murdoch at gmail dot com, and it'll send you a verification mail, but there's no guarantee that Rupert Murdoch of the news empire is the owner of that gmail account.

[dlevey.livejournal.com]

I seem to have an innate distrust of places like this. I can't shake the feeling that my being there will be of more help to "them" than to me. I feel like I'm being sold to, and being sold.

Perhaps if my career were different so would my feeling on this sort of stuff. I'm neither a mover nor a shaker, and business-wise I am only of limited utility to know. Nor am I in a position to use other people to further my own business; networking doesn't help me all that much. When I'm looking for employment it's a little different, but still...

Perhaps what you're seeing is part of my gnawing dislike of business networking sites - I never bothered to stop and think about it.

[etherial.livejournal.com]

I've added in "colleagues" from Intercon. As a result, I can see everyone from some Eastern European company called "Intercon".

[metahacker.livejournal.com]

I think a solution might be to have a standard* measure of how authenticated an identity is, and what the standard sort of things you should share with such a person might be. Complicating this is the fact that IME authentication isn't grokked by the general populace: though it's reasonably easy to explain, it seems like people keep making the authentication mistake over and over again despite knowing about it. ("So you're saying there's *some* sort of connection between Ben and Glory...but...I don't see it.")

LinkedIn has reason to ask you to use their site for more and more stuff, so they have a motive *not* to make sure you question someone's identity; otherwise I'd say prevail on them to include such a primer.

(* I shuddered when I wrote this. _More_ standards?)

[ladymacgregor.livejournal.com]

I've actually resisted getting into LinkedIn, although I've been invited by a couple different people. I *am* part of my ex-company's Yahoo list, which is quite useful. So, perhaps a bit oddly, I get happy news out of your post here: less generic spam! Woo hoo!

(I've gotten WAYYYYYY too many messages intimating that I'm *ahem* "not male enough" or too fat. Hmph.)

[cellio]

One response is to avoid/ignore sites like that. Another is to use it but remember that it's all unverified. I've been contacted by alleged past coworkers and accepted their invitations; on the other hand, I haven't given them anything non-public by doing so, so I'm not sure that's a problem. However, people likely to respond to pleas for favors from "friends" they don't know well enough to have valid contact info for should beware.