If you use LinkedIn, you’ve probably told the site where you work, what you do and who you work with, as noted by CNNMoney. Therein lies the problem.
Called “spear phishing,” hackers trick their targets into opening e-mail attachments that appear to come from trusted sources. This is what happened in two high-profile security breaches last year, including a Gmail attack on top U.S. officials and another attack on RSA.
Investigators haven’t disclosed how the attackers gathered information on the victims, but the risks of social networking sites — particularly LinkedIn — were certainly a hot topic at a recent RSA security conference, as noted by CNNMoney.
Of course, most of the discussion was hypothetical. Investigators believe it’s nearly impossible to trace the original source of personal data used in these attacks.
But self-described “hacker for hire” Ryan O’Horo proved otherwise, demonstrating how he used LinkedIn to access a client’s corporate network.
How He Did It:
O’haro created a fake account on LinkedIn, posing as a company employee. He created a profile with realistic details, including a rational job history and skill set. He then sent out 300 connection requests to current company employees. Sixty-six were accepted.
Next, O’Horo requested access to a private LinkedIn discussion forum the company’s employees had created. The group’s moderators granted his request, as reported by CNNMoney. O’horo posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, he received 87 hits, 40 percent of which came from the corporate network.
O’Horo was caught just three days into his LinkedIn attack: An astute employee figured out he didn’t belong and blew the whistle. But he’d already made his point.
The opinions expressed are solely those of the author and do not necessarily reflect the views of XFINITY.