In November, Britain’s Security Service began notifying members of parliament (MPs) and their staff of an audacious foreign intelligence-gathering scheme. It claimed two profiles on LinkedIn were approaching individuals working in British politics in order to solicit “insider insights”. The revelations from MI5 precipitated a £170 million ($230 million) government initiative to tackle espionage threats to parliament.

It may be the most recent high-profile case of threat actors abusing LinkedIn to further their own nefarious goals. But it’s by no means the first. The site can also be a treasure trove of corporate data that can be used to support fraud or threat campaigns. It’s time professionals got wise to the risks of digital networking.

Why is LinkedIn a target?

LinkedIn has amassed more than one billion “members” worldwide since its founding in 2003. That’s a lot of potential targets for state-backed and financially motivated threat actors. But why is the platform so popular? A few reasons stand out:

  • It’s a fantastic information resource: By digging into the site, threat actors can find out the roles and responsibilities of key individuals in a targeted company, including new joiners. They can also piece together a pretty accurate picture of the relationships between individuals, and the kind of projects they might be working on. This is all invaluable intelligence which can then feed into spear-phishing and BEC fraud efforts.
  • It provides credibility and cover: Because LinkedIn is a professional networking site, it’s frequented by high-value executives and low-level workers alike. Both might have their uses to a threat actor. Victims are more likely to open a DM or InMail from someone on the site than they are an unsolicited email. In fact, when it comes to C-suite execs, it might be the only way to target them directly, as emails are often checked only by subordinates.
  • It bypasses 'traditional' security: Because messages travel through LinkedIn’s servers rather than corporate email systems, the corporate IT department is blind to what’s going on. Although LinkedIn has some built-in security measures, there’s no guarantee that phishing, malware and spam messages won’t get through. And because of the credibility of the site, targets may be more likely to click through on something malicious.
  • It’s easy to get up and running: For threat actors, the potential ROI for attacks using LinkedIn is massive. Anyone can register a profile and start prowling the site for profiles to extract intelligence from, or to target with phishing and BEC-style messages. Attacks are relatively easy to automate for scale. And to add legitimacy to phishing efforts, threat actors may want to hijack existing accounts or set up fake identifies before posing as job seekers or recruiters. The wealth of compromised credentials circulating on cybercrime forums (thanks in part to infostealers) makes this easier than ever.

Which attacks are most common?

As mentioned, there are various ways threat actors can operationalize their malicious campaigns via LinkedIn. These include:

  • Phishing and spearphishing: By using information that LinkedIn users share on their profiles, they can tailor phishing campaigns to improve their success rate.
  • Direct attacks: Adversaries may reach out directly with malicious links designed to deploy malware such as infostealers, or promote job offers intended to harvest credentials. Alternatively, state-backed operatives may use LinkedIn to recruit ‘insiders’ as MI5 warned.
  • BEC: As per the phishing example, LinkedIn provides a wealth of intelligence which can then be used to make BEC attacks more convincing. It might help fraudsters identify who reports to who, what projects they’re working on, and the names of any partners or suppliers.
  • Deepfakes: LinkedIn may also host videos of targets, which can be used to create deepfakes of them, for use in follow-on phishing, BEC or social media scams.
  • Account hijacking: Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts. These can be used in follow-on attacks targeting their contacts.
  • Supplier attacks: LinkedIn can also be trawled for details on partners of a targeted company, who can then be targeted with phishing in a “stepping stone” attack.

Examples of threat groups using some of the above include:

  • North Korea’s Lazarus Group has posed as recruiters on LinkedIn to install malware on the machines of individuals working in an aerospace company, as discovered by ESET Research. Indeed, the researchers also recently described the Wagemole IT worker campaigns in which North Korea-aligned individuals attempt to gain employment at overseas companies.
  • ScatteredSpider, called MGM's help desk posing as an employee it found on LinkedIn, in order to gain access to the organization. The ensuing ransomware attack resulted in $100 million in losses for the firm.
  • A spearphishing campaign dubbed “Ducktail” targeted marketing and HR professionals on LinkedIn, with info-stealing malware delivered via DM links. The malware itself was hosted in the cloud.

Staying safe on LinkedIn

As mentioned, the challenge with LinkedIn threats is that it’s difficult for IT to get any real insight into how extensive the risk is to its employees, and what tactics are being used to target them. However, it would make sense to build LinkedIn threat scenarios of the sort described above into security awareness courses. Employees should also be warned about oversharing on the site, and provided with help on how to spot fake accounts and typical phishing lures.

To avoid their own accounts being hijacked, they should also be following policy on regular patching, installing security software on all devices (from a trusted provider), and switching on multi-factor authentication. It may be worth running specific training course for executives, who are often targeted more often. Above all, ensure your employees realize that, even on a trusted network like LinkedIn, not everyone has their best interests at heart.