By Satnam Narang, Senior Security Response Manager, Symantec
Scammers continue to aggressively target social media with various tactics including mining for personal information used to access and hijack your account.
Recently scammers attacked LinkedIn users with phishing emails claiming to be from LinkedIn Support. The bogus emails alerted so-called “irregular activities” that have prompted a “compulsory security update” for the recipients’ LinkedIn account. The crux of the phishing email scam is the prompting of recipients to download an attached form (an HTML attachment) and follow the instructions.
“Keep in mind that a site like LinkedIn would never ask you to open an email attachment or install a software update,” according to the LinkedIn’s official Help Center.
Unfortunately, these fraudulent emails were not from LinkedIn. In some cases, recipients opened the nefarious attachments and compromised their personal information (and professional network) to hackers.
How The Attackers Did It
One of the evasion techniques involved the email using a lowercase “l” instead of a capital “I” when spelling “LinkedIn”. The difference in characters is often indiscernible to the eye and functions as a way to evade mail filters.
However, the most damaging part of the scam was using the HTML attachment. This method bypasses browser blacklists that often flag suspicious websites to help prevent users from being phished.
For more coverage on these HTML attachment scams, read “Money Transfer Spam Campaign with HTML Attachment” on the Symantec Security Response Blog.
Is Phishing Effective?
While most of us think we’re too smart to fall for phishing, a new Google study found that some fake websites worked 45% of the time. The study also found that on average, people visiting the fake pages submitted their info 14% of the time. Even the most obviously fake sites were found to still trick 3% of users.
Why Target LinkedIn?
Let’s face it: business is often about connections. Whether it’s for an executive, small business owner or individual consultant, social networks like LinkedIn can serve a crucial role in maintaining and expanding professional networks. LinkedIn boasts over 330 million users – and that’s an attractive target for criminals.
“Unlike Facebook and other social networks that deal with our personal or family life, LinkedIn is generally accepted as the professional social network,” said Charlie Treadwell, Director, Global Social Media, Symantec. “Because of this, increasing your connections is one of the primary goals of LinkedIn.”
And the email phishing scammers know that a fake “security alert” can motivate a recipient to anxiously click or download a scam link -- without careful examination.
In addition to phishing emails, scammers are also using fake accounts in an attempt to tap into your personal private information.
Treadwell also warns of accepting all connection requests because “few people take the time to review their privacy settings in LinkedIn and may not be aware that accepting a connection request cant grant the user permission to see your connections, email and even your phone number.”
Social Network Security Tips
Here are some basic security tips to keep your LinkedIn and social media accounts safe:
- Use two-step verification - LinkedIn users should consider turning on two-step verification, a true “security update” that provides an extra layer of security. With two-step verification enabled, even if a user’s credentials were compromised, an attacker would not be able to login without having access to the user’s mobile phone. Review your privacy settings, too.
- Never click on links or download attachments from LinkedIn emails - If you’re suspicious of a purported email from LinkedIn or another social network, copy and paste the link into your browser or inspect the URL before visiting the link.
- Inspect profiles from people you don’t know who want to connect - Before you accept requests to connect from people you don’t know, inspect their profile to ensure that they are in fact a real person. One dead giveaway of a fake account is an incomplete profile with 500+ connections, zero or few skills and no endorsements.
- Change passwords immediately and contact LinkedIn if you’ve been attacked - If your LinkedIn has been compromised, change your password immediately, ensure two-step authentication and review your privacy settings. It’s also imperative you report the malicious activity to LinkedIn (phishing@linkedin.com).
Educating Enterprises and Yourself
It’s important to raise awareness of the rising rates of phishing attacks through social media. Even clicking on a malicious link can potentially provide an attacker with access to your computer or even your corporate network. Promote the adoption of security features like two-step authentication to protect accounts and educate your company on safe security practices. Professional social networks like LinkedIn are about connecting professionals and it’s important to make sure your account is safe. While there’s no foolproof solution, practicing safe measures can help keep your personal information and network secure.
As a leader in information protection technology, Symantec is uniquely positioned to offer insights on the rapidly evolving digital landscape. For more information on Symantec, visit symantec.com, follow the official Symantec blogs and find us on Twitter: @Symantec
