Phishing…a topic that we’re more than familiar with, after all there’s been a number of horror stories we’ve heard over the last few years! Unfortunately they are only getting more creative with their approaches to extort you, and your employees. Let’s dive into how hackers are using LinkedIn to lure in victims.
1. Fake LinkedIn profiles
Watch out for fake profiles trying to connect with you that might look like they work with you. These fake accounts are being used as a means to give up personal information or direct your employees to malware embedded sites. Employees should be aware of the various scams, if the attackers do manage to get a hold of email addresses, they can further use these to launch spear-phishing campaigns. And we all know what could happen if just one of your employees clicks on one of these links!
The easiest way to spot these scams is by looking at the profile information, these profiles usually lack personal information, might not have a profile picture and often have limited connections. Although rare, Premium members can also be a fake account, so this should also be considered when reviewing profiles.
If your employees do recognise any of these threats, they should proceed to report these fake profiles. Leaders should also be encouraging employees to verify with senior leadership if they’re unsure on identifying a legitimate employee profile. It’s better to be safe than sorry!
2. Spear-phishing campaigns targeting job hunters
This fairly recent campaign was circulating the internet and was launched by a group called Golden Chickens. The group were delivering the fileless backdoor ‘more_eggs’ through a spear-phishing campaign targeting professionals on LinkedIn with fake job offers.
The campaign is designed to trick victims into clicking on a malicious .ZIP file. It will then pull the victims job title and add the word ‘position’ at the end to seem like a legitimate offer. Opening this fake job offer will install the fileless backdoor ‘more_eggs’ and once downloaded, ‘more_eggs’ can fetch malware and access the victim’s system.
It’s important to note that this group is also selling ‘more_eggs’ as a service to other cyber criminals who are using this as a means to install malware, steal credentials & data, and launch ransomware.
3. Phishing emails with common LinkedIn subject lines
What’s the most common way to lure victims in? By using the same lingo as the brand they’re impersonating of course! And that’s exactly what the attackers have been doing. Most of us have LinkedIn and we’re familiar with their emails, so you’ve probably came across “ you appeared in new searches this week!”, or “People are looking at your LinkedIn profile”, and Please add me to your LinkedIn network”.
These scams had an 47% click rate in the third quarter of 2020, which actually made this the most common social media scam for the third year. It’s a running trend, and it’s probably going to continue.
Now you might be thinking, this isn’t compromising business user credentials as such. But if you look at the bigger picture, once the link has been clicked, the attackers can find an entry into your systems if your employee is using LinkedIn on your company device. Don’t fall for the trap, and keep your employees up to date with the latest threats!
4. LinkedIn private shared document
This phishing ploy is being delivered through LinkedIn’s internal messaging system, it’s also disguised to look like it’s been sent by the victims contacts. The message is an attempt to get the victim to follow a third-party link which opens up a document.
Private shared documents are non-existent, so this should be the first clue of a suspicious message. Should your users fail to recognise this, they’ll be redirected to a spoofed LinkedIn login page, where if credentials are entered, the account will then send out phishing messages to their contacts.
Implementing security awareness training to prevent successful phishing attempts
Human error is very much still occurring, and this is something that attackers are aware of, which is why phishing is an easy win for them. With many users still falling for the trap, phishing attacks aren’t expected to disappear anytime soon. Your employees must be aware of the various threats to look out for, and what to do in an event of coming across a suspicious email or site.
We like to think of it as building a ‘human firewall’. Humans are your first line of defence, and they’re going to be your biggest asset when it comes to combating outside threats. This means focusing on helping your workforce understand threats and enforcing change in their user behaviour to make smarter security decisions.
Educating and testing your employees
Always remember that your employees need to know the ‘what’s’ and the ‘why’s’, before you try to teach them the ‘how’s’. What exactly is phishing? Why do they need cyber security awareness training? What damages will occur to the business if there was a successful phishing attempt? The aim is to first create the right mindset.
Now that they know the why, its time to educate your staff (and yourself!) and explore different phishing techniques and how they are used to exploit victims. You can do this by investing in a comprehensive cyber security awareness program that will come equipped with knowledge modules. Remember that you shouldn’t be assigning these tasks as a ‘one off’ security day.
Make security training mandatory and consistent, it should also be including senior leadership. You’d be surprised at how common it is for CEO’s to be an prime target! All this knowledge needs to be drilled into your employees to change their user habits, only then will you start to see a reduction in successful phishing attempts.
Once you’ve gone ahead with your training session, the next step is to test your employees to find out just how much information they’ve taken in. At this stage you should be testing with simulated phishing tests so you can see exactly how your employees are responding to the training. If they are any fails, you know there’s more work to be done.
If you’re looking to invest in an cyber security awareness program, contact our cyber security experts.