Posts tagged social networking

What Anomalies Trigger The LinkedIn Sign-In Verification Challenge?

LinkedIn prompts users to take additional steps when it determines that the logon attempt is unusual. What activities does LinkedIn consider suspicious? This isn’t well documented, but here are a few possibilities.

According to LinkedIn, the service presents a security challenge when the user attempts to sign-in “from an unfamiliar location or device” or when the service detects “suspicious web activity.” In this case, the user might be emailed a verification link or presented with a CAPTCHA challenge.

The security challenge could come up when the user accesses LinkedIn from a new country. In this case, the person would see:

“This sign-in attempt seems unusual for you. As a security precaution, please check your email to verify this sign-in attempt.”

The email message will explain, “Someone just tried to sign in to your LinkedIn account from an unfamiliar location, so we want to make sure it’s really you.” The email will specify the IP address and the country where the attempt originated. The recipient will be advised to click a button to verify the sign-in attempt or click another link to change the password.

image

Watch out, scammers might misuse this text for phishing!

LinkedIn also presents the verification prompt after an extended absence according to one report on Twitter. Another sighting on Twitter suggests that LinkedIn might be checking for frequent login/logout actions from a single location, though specifics of this logic are a bit unclear.

image

image

To reduce the likelihood that the sign-in verification prompt will come up, LinkedIn recommends against signing out “each time you use LinkedIn during the day.” Strangely, the service also suggests that “you sign out at the end of each day.” (I doubt that’s very practical advice.)

It’s great to see that LinkedIn has been taking measures to strengthen its authentication practices! Might we even see two-factor authentication some day?

If this topic interests you, you will also like:

Lenny Zeltser

Twitter Social Networking Among Information Security People

Having used Twitter for a couple of years, I can say that its role as social networking medium for members of the information security community has been steadily growing. The value Twitter offers infosec people in three-fold: it helps keep up with interesting security-related content; it offers a forum for interacting with fellow infosec professionals; and it assists in researching current security events and trends.

Finding Relevant and Interesting Content

Twitter users often act as curators of content, helping to identify which news stories, research papers, podcasts, etc. you should be paying attention to on a given day. To benefit from this aspect of the service, it’s best to sign up for Twitter and follow people whose taste in security content matches yours.

Deciding whom to follow on Twitter without being overwhelmed by the number of updates in your stream is a personal matter. A good starting point is to find which of your friends and colleagues are already on Twitter and follow them. Another is the list of “top” security Twitter accounts maintained by the service Listorious. Yet another possibility is the listing of “most powerful voices in security” compiled by Jim Kaskade.

One of the advantages of following on Twitter the people who interest you is that you don’t need to keep up with their updates in real time to benefit from their content-curating activities. Several free services can filter, rank and aggregate the content shared by the Twitter accounts you follow. These include:

You can follow the updates of Twitter users by subscribing to the RSS feed that Twitter generates for them. This works even without you needing to join Twitter; however, this method is only practical when you want to keep up with a small number of Twitter users.

Interacting With Other Information Security Professionals

Technology is making the world smaller, someone said once. Twitter certainly contributes to this dynamic: It’s incredible how many members of the information security community are just a click away on this service.

You might shy away from approaching a particular individual at a conference or worry about emailing the person you don’t know. On Twitter, such social stigmas are almost non-existent. People generally feel contacting each other—making comments, asking questions and providing answers, without much hesitation. This aspect of Twitter makes the site a fantastic source of inspiration and knowledge.

Interestingly, Twitter is even becoming the platform for discussing contents of blogs, with comments being shared as Twitter messages instead of being added to the blog post’s web page directly.

Researching Security Topics

The volume of information posted on Twitter can easily be overwhelming. This aspect of the site makes it a good source of various types of real-time and historical data related to information security.

For instance, you might use Twitter search to check what people are reporting regarding an unfolding security breach or ongoing attack; you might find information about defensive and offensive actors; you might the mention of hashes of malicious executables or suspicious IP addresses, etc. For additional thoughts along these lines, see my earlier posts How to Use Twitter for Information Mining and Monitoring Social Media for Security References to Your Organization.

For more tips on getting the most out of Twitter, see my earlier post Joining The Information Security Community on Twitter. Oh, and you should probably follow me on Twitter: @lennyzeltser.

Lenny Zeltser

People are the new Worm
Ulysses Wang, commenting on the role that humans play in propagating malicious links on social networking sites.

community.websense.com

11 Security Tips for Online Social Networking

Having covered the risks related to on-line social networking on several occasions, I’d like to outline my tips for using these services securely. In compiling this list, I tried to stay away from impractical recommendations, and did my best to base advice on actual occurrences, rather than theoretical threats:

  • Ignore any links embedded in email messages that appear to come from a social networking service. Instead, connect to the site directly by typing its URL or using a bookmark. This will help avoid phishing-style incidents.
  • Don’t include in your social networking communications potentially sensitive information about other people. For instance, some parents don’t like revealing the names of their kids online. Understand and respect your friends’ privacy preferences.
  • Be skeptical of job postings on social networking sites until you confirm that you’re interacting with an official representative of the company where you’d be applying. Avoid responding to offers that sound too good to be true, such as high-paying work-from-home gigs.
  • If a friend asks you for money using chat or messaging functionality of a social networking site, confirm that you’re interacting with the person you know, rather than an impostor or a bot that compromised the account. This could be a variation of the stuck-in-London scam.
  • Be careful clicking on links that use unusual URL-shortening services or those that promise to display shocking or embarrassing videos. If such links bring you to a site that doesn’t feel right, close the browser tab without clicking any buttons on the page to avoid clickjacking attacks and other scams.
  • Don’t download any tools or software updates when prompted to do so after clicking a link you obtained from a social networking site. This could be an attempt to propagate malware.
  • Don’t use public social networking sites to discuss sensitive company matters, even if you believe you’re interacting with people working for the same company. You might be communicating with impostors or potentially broadcasting to the whole world.
  • When sending private messages using a social networking site, assume that some day they may become public. The data might be revealed due to your own error or because the service provider may end up leaking the information inadvertently or through dubious practices.
  • Use social networking services in a manner consistent with your employer’s policies. When encountering a suspicious situation on a social networking site that may involve your employer’s data or computer systems, let your IT or security staff know.

While the tips above were focused on social networking services, standard Internet safety recommendations apply: Limit the reuse of passwords across sites; keep up with security practices; disable risky browser plugins that you rarely use (e.g., Java).

Like any of our actions that involve interacting with others, using social networking sites exposes us to risks of being scammed, infected or otherwise attacked. My hope is that the tips above provide practical recommendations that allow people and organizations to derive benefits from these communication mechanisms while keeping the risks at a manageable level.

Lenny Zeltser

Which Apps Are Authorized to Access Your Social Networking Accounts?

Instead of pursuing vulnerabilities present directly in Facebook, Twitter or LinkedIn, attackers might find it easier to identify problems in less mature websites and apps designed to integrate with the targets’ social networking accounts. From the user’s perspective, it’s easy to forget about the myriad of sites that the person may have authorized to have read or write access to his social networking profile.

Follow the steps below to review which apps you’ve authorized to access your Facebook, Twitter and LinkedIn accounts. Check this list periodically and deauthorize the services you no longer use. When in doubt, remove access—when you use the site or app that relied on that access, you should be able to easily reauthorize it.

LinkedIn

Access the Authorized Applications page by hovering over your name in the upper right corner of the LinkedIn site. Select Settings. In the bottom left corner select Groups, Companies & Applications. Select “View your applications”.

Facebook

Access the Application Settings page by clicking on the Account button in the upper right corner on the Facebook site. Select Account Settings. On the left side of the screen select Applications.

Twitter

Access the Connections page by clicking on your name in the upper right corner of the Twitter site. Select Settings, then select the Applications tab.

Lenny Zeltser

The Use of Fake or Fraudulent LinkedIn Profiles

When discussing scams and malicious activities that have utilized the linkedin.com website, I alluded to the use of fake of fraudulent LinkedIn profiles. Though it’s hard to confirm the true nature of suspicious-looking profiles, I came across several that were implicated in conducting illegitimate activities; also, several studies have used fake LinkedIn profiles to conduct security-related research.

Initiating Contact Through LinkedIn in a Targeted Attack

Two years ago the LinkedIn profile that claimed to belong to Murray Rubens was being used to establish contact with employees at a well-known technology company. The person investigating the incident pointed out that the alleged scammer’s profile indicated that he worked at the targeted company since 1997; however, the company had no record of this employee. Here’s an example of a message sent by “Murray Rubens”:

I’d like to add you to my professional network on LinkedIn. I just got involved with Linked in and I wanted connect. I really love my job at Redactedand I want to connect to as many of my collegues as possible. I want to get off to a great start. Please connect if you do not wish to connect its OK. - Murray

Such an approach can be used to target the company’s employees with social engineering, malware or other attacks.

Note the apparent inconsistency between “Murray Rubens” claiming to be at the company since 1997, yet expressing the desire to “get off to a great start.” (Thanks to the investigator for allowing me to publish these details.)

Potential Scams That Involved LinkedIn Profiles

The Ripoff Report website documents numerous reports of confirmed and suspected scams. Some of them refer to them reference LinkedIn profiles that alleged scammers used when interacting with the complaining party.

One complaint describes a scam allegedly conducted by “Ana Velasco.” According to the report, “Ana Velasco” followed the transcript of a classic bank guarantee scam over the period of 3 months. The alleged scammer is reported to have baited the victim out of $25,000 “by falsifying federal investment documents, wealthy client lists, worldwide contacts (Deutch Bank) falsifying her background in commodity trading and high yield investments.” The report includes a link to the LinkedIn profile of “Ana Velasco,” which is no longer present on the site.

Another write-up on Ripoff Report discusses an individual, who was reportedly “posing as an investor on LinkedIn.” The person who filed the complaint explained that this individual contacted him through LinkedIn regarding investing in the person’s company. The report describes a number of red flags that made the person who filed it concerned, including inconsistencies in domain registration details. However, it stops short of presenting clear evidence that the interactions initiated via LinkedIn were part of a scam.

Fake LinkedIn Profiles Set Up by Researchers

A number of studies explored people’s willingness to interact with strangers on social networking sites, potentially revealing sensitive information or otherwise exposing themselves or their employers to scams. For example, Thomas Ryan of Provide Security set up a profile of a fictitious person named Robin Sage on LinkedIn, Facebook and Twitter. The profile used the photo below and described Robin Sage as “a flirtatious 25-year-old woman working as a ‘cyber threat analyst’ at the U.S. Navy’s Network Warfare Command,” according to the Washington Times article about the experiment.

According to the paper Thomas Ryan wrote about the experiment, he used the Robin Sage profile to establish connections with “executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.” Thomas concluded that “the propagation of a false identity via social networking websites can be rampant and viral.”

Another experiment using a fake LinkedIn profile was conducted by Dennis Rand from CSIS Security Group. Seeking to research and demonstrate the potential for information leakage through LinkedIn, Dennis created a profile of a fictitious person named John Smith, after which he sent invitations to connect on LinkedIn:

Dennis provided the text of the invitation in the presentation he created to describe the experiment:

“I found you while I was searching my network on LinkedIn and found you.

In the future I might be interested in contacting you regarding a possible job/business connections, so this is my way to keep a list of interesting people/possible future business partners/connections. …

Hope you will take the time to read my profile and accept my invite : )”

Dennis reported that “in less than 2 weeks I had build up a network of 1300+ connections with email addresses, names and a lot of information about the different large companies.”

Wrapping it Up

The nature of on-line social networking involves establishing connections with people without the opportunity to establish the person’s authenticity and reputation. Making the initial connection requires taking a leap of faith, which can easily exploited by scammers. As we saw, security researchers have demonstrated the ease with which anyone can quickly build a respectable-looking profile on LinkedIn. We also saw that miscreants can rely on LinkedIn profiles as part of a cover story when conducting a scam.

This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:

Lenny Zeltser

Scams and Malicious Activities Using the LinkedIn Website

Although malicious activities that involve LinkedIn aren’t as popular as those associated with other social networking sites, the service has seen its share of scams and fraud. The majority such incidents occurred outside of the LinkedIn website, and took the form of LinkedIn look-alike email spam. However, there have been cases where the scammers used the linkedin.com website itself to achieve their goals. Let’s take a look at some of them.

Using linkedin.com as a Redirector to Malicious Sites

It’s simple to use linkedin.com as a redirector to other websites at the moment. The URL needs to look like this to redirect you to Google, for instance:

http://www.linkedin.com/redirect?url=www.google.com

Attackers benefit from “bouncing” users off a website that has a strong reputation, because doing so lends credibility to the link that ultimately will lead to a malicious site. Gerald Dillera at TrendLabs described one such attack that used linkedin.com. The incident involved Facebook wall posts that promised to show “The Video That Just Ended Justin Biebers Career For Good!”

When the potential victim clicked the link, Facebook showed a confirmation that the person is about to leave Facebook.com and be taken to linkedin.com. However, linkedin.com would redirect the person once more to a malicious domain. According to Gerald, “the cybercriminals behind this attack benefit from those who paid to answer the online survey. In addition, this can also pave the way for malware infection and information theft.”

Fraudulent Job Postings on LinkedIn

The LinkedIn Jobs site is designed to pair up job seekers with employers. Perhaps it’s not surprising that this service can act as a venue for distributing fraudulent job postings. The examples I’ve seen involved recruiting money mules, though the creators of these job postings did their best to make them look legitimate.

Consider one such posting, which has been live on LinkedIn for about a month as of this writing and carried the title “*** COME AND WORK WITH US ***”. This work-from-home job promised to pay a weekly salary and a 10% commission for “assisting us in processing the payments from our clients.” The responsibilities were described as follows:

“1. Recieve payment from Customers

2. Cash it at any cashing point or at your banks and you will deduct 10% which will be your percentage/payon Payment processed

3. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to.(Payment is to forwarded either by Money Gram or Western Union Money Transfer.”

The posting claimed to be recruiting for a legitimate UK company. It was posted by “scott miller” with a mostly empty profile, 1 connection and the location of Nigeria.

The text in the above job posting was very similar to the one that Scott Allen from LinkedIn Intelligence described in 2007. It was titled “REQUEST TO ACT AS PAYMENT REPRESENTATIVE” for H & S International Limited:

Criminals recruit money mules in an effort to get money earned through illegitimate means out of the country. In some cases, dedicated sites are set up for the recruiting effort. In others, traditional job sites, including LinkedIn, help with the hiring process.

Scams Sent to the LinkedIn Inbox

Like many other social networking sites, LinkedIn allows the site’s users to contact each other using an email-like messaging service. This functionality can be used to contact LinkedIn users for fraudulent purposes. LinkedIn users tend to be in a sociable frame of mind when visiting linkedin.com and checking the contents of the site’s Inbox; this might make them more vulnerable to scams.

For instance, some LinkedIn users received in their Inbox a message from Natasha Kone, whose text followed the narrative of a classic 419 scam:

“Before the death of my father on the 12th December 2007,in a private hospital here in Abidjan,he called me secretly to his bed side and told me that he kept a sum of $6.500 000… I am inclined to offer you 15% of the total sum as a way of compensation for your effort after the successful transfer of these fund to your nominated account overseas.”

In such advanced fee scams, the target is persuaded to “advance sums of money in the hope of realizing a significantly larger gain” according to Wikipedia. Contacting potential victims using LinkedIn offers the scammer the potential to build a believable social networking profile that could put the target at ease.

Consider another scenario, which demonstrates, at best, questionable use of the LinkedIn website. Joseph Dowdy from MeshMarketer described receiving “an invitation through LinkedIn to become listed in Stanford Who’s Who.” Joseph wrote that because “the invitation was coming from LinkedIn, I thought it must be legit without having to do the footwork to see if it was a scam.”

Joseph later became suspicious of the service after noticing that the sample profile shown on Stanford Who’s Who’s website was using a photo of his friend without her approval. He noticed numerous complaints recorded about the company on the Rip-off Report website, alleging that it deceives people into paying large fees.

Wrapping it Up

As you can see, scammers have been using the LinkedIn website in several ways, including treating linkedin.com as a redirector to malicious sites, posting fraudulent ads and interacting with potential victims using the LinkedIn website. It’s interesting to note that while the platform provides numerous other opportunities for fraud, I haven’t seen many publicly-documented incidents of this nature.

This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:

Lenny Zeltser

The Potential for Malicious Ads on linkedin.com

LinkedIn includes a platform that allows advertisers to display targeted ads to linkedin.com users. The advertiser can specify the URL of the advertised website. As the result, this presents an opportunity to direct linkedin.com visitors to malicious websites through LinkedIn ads.

However, I have not found any confirmed incidents where the LinkedIn website was used to host such malvertisements. Why not?

This might be because of a relatively high cost of setting up a LinkedIn campaign. Though the site allows advertisers to budget as little as $10 per day, the minimum cost per click is $2. That’s more than many other advertising venues would charge.

Another reason for scammers not distributing malicious ads through LinkedIn might be the effort it takes to build a reputable LinkedIn profile, which is necessary to submit the ad. Though this cost isn’t very high, it may be more effort than what’s involved in submitting ads to other venues.

Do these reasons make sense to you? Do you have a better explanation for the apparent lack of malvertising on linkedin.com, despite the site’s potential to distribute ads to the desired demographic?

This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:

Lenny Zeltser

Why There Are Fewer LinkedIn Scams and Malware Than Facebook Ones

When discussing the risks of fraud, malware and other scams on social networking sites, security professionals often refer to Facebook and, to a lesser extent, Twitter. What about LinkedIn? Its popularity is increasing, as does its feature set, and the company’s IPO will help ensure an abundant supply of funds to fuel growth. This article explores the scams, fraud, phishing and other risks involving LinkedIn that have occured to date.

According to some metrics, LinkedIn’s popularity rivals only that of Facebook; however, there appear to be fewer fraudulent activities related to LinkedIn. Seeking to better understand this apparent paradox, I asked on Twitter why we aren’t seeing more scams and malware on LinkedIn.

Below is the gist of the answers I received. (Thanks to everyone who responded!)

  • LinkedIn isn’t used as often as Facebook, implied @secdouchebag and @kcgeek. Though LinkedIn has a lot of users, one study found that only 50% of them visit the site at least weekly and only 20% visit it daily. Fewer interactions with the website might explain why most of the LinkedIn incidents seem to have involved email.
  • LinkedIn apps platform is very limited, said @bond_alexander. The weak app ecosystem restricts this way of targeting the social networking site’s users. This may be another reason for email being a common element in many LinkedIn scams, he added. In contrast, Facebook apps are highly popularand have often been misused by scammers.
  • People’s LinkedIn interactions have a professional perspective. This frame of mind doesn’t generate the same social/emotional response as Facebook, which makes them more resistant to being tricked, suggested @adamshostack. In addition, @marypcbuk pointed out that people tend to pay more attention to their LinkedIn interactions, because they police their professional activities more carefully than personal ones.

LinkedIn users certainly aren’t immune to risks. For instance, @nuskoolsecurity highlighted numerous spam messages that replicated emails that LinkedIn sends to its users; @secdouchebag mentioned the existence of spear phishing on LinkedIn; @wireheadlance pointed out the use of LinkedIn by scam artists.

The potential of LinkedIn as the platform for malicious activities is especially significant because many organizations allow access to linkedin.com, even when they block other social networking sites, as @xaocuc observed.

Conjectures aside, what incidents involving LinkedIn have actually taken place in the recent years? This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:

Lenny Zeltser

The Use of the Modern Social Web by Malicious Software

Malicious software thrives in the richness of the social web ecosystem, which incorporates mobile devices, reliable networks, powerful browsers and sociable users. Modern malware is programmed to take full advantage of these elements, which are especially potent in the context of social media and social networking websites. As the result, we’re seeing malware exhibit the following characteristics:

  • Using social networking sites to remotely direct malicious tools and attackers’ actions
  • Controlling social media content to provide attackers with financial and political rewards
  • Distributing links on websites with social capabilities to for autonomous malware propagation
  • Defrauding participants of the social web by using chat bots and other techniques

I created a brief presentation how malicious software makes use of these techniques to thrive on the social web and to offer lucrative benefits to malware authors and operators. If this is interesting to you, download my presentation, complete with full speaker notes and references (PDF).

You might also want to tune into the free SANS webcast where I presented an earlier version of this briefing. The benefit of listening to this recording is that you’ll also hear the perspective of Dasient’s Neil Daswani on other ways in which malware thrives on the web ecosystem.

Lenny Zeltser