Phishers Target New Victims on LinkedIn
- 02 June, 2008 16:52
Users of the professional-oriented social networking site LinkedIn are being warned that scam artists are using the site to nab lucrative bank account information from naive victims, say security experts.
Advanced fee fraud — also known as "419 scams" after the relevant section of the Nigerian penal code — have become well-known to most e-mail users. The fraudster poses as a foreigner that has lucked into millions, but needs help to keep their money secure (one fraudster even pretended to bean African astronaut aboard the International Space Station).
As soon as someone is naive enough to share their bank account information, they find that money is withdrawn from their account — not deposited, as promised.
Stymied by corporate e-mail filters and buoyed by the trust that users are giving social networking sites, scammers are trying their old tricks in new channels, according to Graham Cluley, senior technology consultant at Abingdon, UK-based security vendor Sophos PLC.
"Now they're trying their scam with a network used by businesspeople," he says. "By using this mechanism, the criminals know they're talking to people who aren't 13-year-olds, but people with money in their pockets."
Cluley shares one example of the phishing attack that he received on LinkedIn. A user named Natasha Kone claims to be a 22-year-old woman from the Ivory Coast. Her message goes through the usual scam-artist routine of describing the US$6.5 million inheritance left to her by a deceased father, and why she's looking for a foreign partner to help secure the money.
It's a ploy most people would dismiss out of hand.
"The problem is that common sense isn't very common," Cluely says. Sophos knows of many examples of normally astute individuals suckered in by nicely formatted e-mails, and some have lost dollar sums in the millions.
Social networking sites are now the top phishing target,according to the most recent Internet Security Threat Report from Symantec Corp. The sites are the source of the most phishing attacks in the top three countries where phishing occurs — the US, China and Romania.
Overall, phishing messages went up by five per cent in the second half of 2007. There was a total of 207,547 unique messages identified — that's 1,134 different messages for each day.
Scammers are enjoying the trust that social networking users tend to give to the Web sites. Users feel a false sense of security due to being connected to a network of their peers.
"Promiscuous users are accepting friend and network requests from people they don't even know," says David Senf, director of research for Canadian security at Toronto-based IDC Canada. "The trouble is that no one wants to be rude."
But workers should be more stringent about who they add to their friends list, experts say. There's no guarantee that the person you're adding isn't an Internet impersonator. Once a scammer is on your friend's list, you've given them an open route to repeated attempts at nabbing your sensitive information.
One simple measure LinkedIn users can take is to only accept invitations from people who at least know your e-mail address, Cluley says.It's an option that can be simply turned on.
"It's just an extra little bit of effort that most criminals will not take," he says. "They can't just willy-nilly spam everyone on LinkedIn."
LinkedIn's user conduct agreement states that misrepresenting your identity on the network is a breach. So is the use of invitations to send messages to people you don't know.
ITBusiness.ca requested an interview with a LinkedIn spokesperson, but there was no response at the time of publication.
But companies can't be rest-assured that LinkedIn will delete the accounts of all the bad guys out there, says Jim Lippard, director of information security at Florham Park, N.J.-based IP network provider Global Crossing Ltd. There should be a policy in place to address how employees use social networks.
"Advise employees not to put the company's proprietary information onto their profiles," he says. "Just be aware the information can be read by anyone."
Even users who consider themselves careful about who they add as friends have to be careful, Lippard adds. Social networks are made more unsafe for everyone by those who accept every connection put forward to them.
Staff recruiters at large corporations often have large friend lists, for example. The presidential candidates in the US election also have profiles and will accept anyone as a friend to build their popularity showcase, the security expert says.
"They're operating their profiles like a MySpace bands page," Lippard says. "Once you have an indiscriminate group of people doing this, that means there are more unsecure links closer to all users."
For now, one fraudster's identity has been removed from LinkedIn. Natasha Kone has been deleted from the social network's database. But there's no telling how much damage the scammer has already done.
"I'm sure the only person who really knows that is the one lurking behind the identity of Natasha Kone," Cluley says.