Posts Tagged ‘spear phishing’

LinkedInMy previous posting dealt with a technical attack involving malware being distributed through social media. Here’s a story on how social media sites can be used for social engineering to entice users into being attacked.

The article points to how information gleaned from LinkedIn profiles can be used to target users with more plausible attack scenarios — a.k.a. spear phishing. It describes how one person was able to get added as a connection to more than 60 people at a company where he posed online as a worker and then proceeded to get himself added to a private LinkedIn discussion forum.

  • “Now I had an audience of 1,000 company employees,” O’Horo said. “I posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, I got 87 hits — 40% from inside the corporate network.”

Of course, the risk here is that the fake page could have been infected and used to distribute malware as previously described. But is this really a problem with LinkedIn? Should we avoid social networking sites as a result?

I would say “no” and “no.” The real issue here was that people were trusting things they shouldn’t trust. If someone had bothered to find out who this guy was before adding him to the private discussion forum, it wouldn’t have been an issue. Also, if users had been more discerning as to which links they clicked on, it wouldn’t have been an issue.

The point really is what and whom should you trust? LinkedIn, like any social networking site, is only as good as the information in it and only as trustworthy as the people posting to it. It seems that every time we develop a new communications forum, whether it be snail mail, telephone, email, SMS, or social networking sites, we have to re-educate ourselves as users as to what is and is not reasonable and responsible behavior within this new context.

Hackers know this and it’s how they are able to exploit these windows of opportunity with each new turn of the technological crank. The onus is on the good guys to maintain a healthy skepticism when moving into new forums or risk being the next victim.