Trust LinkedIn? (a modern tale Grimm)

traccblog August 18, 2022 0

LinkedIn is my go to for social media. Why? Because it is a business centered platform. It allows a bit of “blogging” that immediately connects those blog posts to my connections. While I still have a number of blogs (because many of my posts aren’t about business) they don’t nearly have the reach that my LinkedIn articles have.  I also find my LinkedIn feed as compelling as Facebook.

Clearly LinkedIn is also the first choice for job seekers and recruiters. It serves as a one-stop research tool and validation tool.  It’s pretty easy to use and everyone’s bio is out there for the world to see. It lets everyone know who you are and what you have accomplished.

Except it doesn’t.

As with any other marketing, LinkedIn shows what we tell it to show.  If you tell LinkedIn that you are the CEO of Microsoft, it will trust you and put that on your profile. There is no confirmation that you really are who you say you are.

You may think this is a small problem but it is a huge security threat! Don’t believe me? Let me make up a story for you.

<Storytime>

Let me introduce Sally

Imagine that Sally sends you a message on LinkedIn that claims to are a marketing recruiter for a well-known company, let’s call it XYZ.  You may not be looking but working for XYZ would be amazing…so you read more.

The position is virtual (check!) and your specific experience seems to align with what they are looking for. (Extra points for flattery so check, check!) 

The offer seems interesting so you decide to check out Sally’s LinkedIn profile. She has been working at XYZ for a number of years (check) and has a lot of connections (check). She is even connected to one or two of your close friends (check).  Maybe this is legit.

“Ok, Sally, tell me more.”  At this point, you’ve already made yourself a target and they just need the right angle.

What if Sally wants to have a phone call, would you give Sally your private phone number? (bite!)

On the call the job sounds great! Would you be willing to fill out a pre-employment form for her to submit your name to the hiring manager? Would you send over your CV?  (bite!)

You’ve just given out 2 major pieces of really important personal information to a bad guy: personal phone and e-mail.  Did you even realize it? They are both on your resume, right?  They were also on the form she sent. Those two items alone could be a goldmine and worth money on the black market.  But Sally is looking for something more lucrative, she wants your employer.

Remember that job application she sent over? It was shared on her company google drive and had you log in via Google. That’s not a problem, right?  It looked right, it was branded as XYZ. (Now Sally knows your Google password)

Now Sally gets to do what people in cybersecurity call a pivot.  You have access to one system and now start looking for where you can go from there.

Do you store your passwords in Google Chrome? (Sally knows you do!)

Do you save your company VPN password in Google Chrome?  (Sally knows that as well!)

You may be a little concerned by all this.  “Well, I don’t really have much access to things at work”, you think.

What can Sally do with your VPN password?  Remember, if Sally can get into almost any system at your workplace. That is when Sally takes the next step and goes for a tactic called privilege escalation.  In this step Sally uses information on a workstation to try to find an account with even more access.  The first thing they look for is information left over when the administrator last logged in on your system.  Has IT ever logged into you workstation to fix a problem? (Sally can tell they have and she now has access to the password.)

So, with the administrator password for the company, and the ability to VPN in, the rest is simple.  Seek out the valuable company data and download it.  Then, either try to exploit the access to get accounting to pay some fake bills or install ransomware and get the company to pay them.

</Storytime> (this is a cute “techie” way of saying ‘end of storytime’)

You may think this is far-fetched.  It’s not. These steps are fairly easy to follow and perform.  I picked the name “Sally” because women are less threatening.  She also has a nice photo on LinkedIn. It’s fake, of course.

“Information Technology will stop this from happening”

Think your IT department will catch all this before it happens? Well, “IT” is usually focused on getting new systems installed and keeping old systems running. They are busy enough without doing security as well but even if they WERE looking, would they catch this?  Look at how many ransomware attacks happened last year, most of those companies had good IT shops…

The fact is, the people (that means YOU) are the weak point.  Nearly all successful attacks relied on some human failure. That failure is usually someone that didn’t even think something they did could be a problem.

traccblog
Latest posts by traccblog (see all)

More Stories

Google Chrome’s WebRTC vulnerability

Google Chrome’s WebRTC vulnerability

Paul Bergman January 4, 2024 0
How to Update Microsoft Outlook

How to Update Microsoft Outlook

Paul Bergman April 19, 2023 0
DDOS Attack

What is a DDOS Attack?

Paul Bergman February 10, 2023 0

Leave a Reply

You may have missed

The Imperative for Cyber Talent on Corporate Boards

The Imperative for Cyber Talent on Corporate Boards

Paul Bergman March 29, 2024

Talking CMMC preparation

Paul Bergman March 12, 2024

Protecting Your Business: Strategies to Combat DNS Attacks

Paul Bergman February 20, 2024
Defending against Living of the Land (LotL) attacks.

Defending against Living of the Land (LotL) attacks.

Paul Bergman February 16, 2024
The Imperative for Senior Leaders Understand Cyber Threats

The Imperative for Senior Leaders Understand Cyber Threats

Paul Bergman February 15, 2024