Social Engineering on Social Media
Being socially engineered on a professional social media platform? It’s more likely than you think!
Most of us are familiar with the typical types of scams that occur on social media platforms, like Facebook or Instagram. Now, a set of threat actors have crafted a new and widely successful scheme that leverages profiles on more professional social media sites, like LinkedIn.
These threat actors create fabricated profiles purporting to be high-level executives at well-known companies, then wait for Google and other people search engines, such as Apollo.io, Signalhire and Cybersecurity Ventures, to crawl and scrape the profile data.
After a long enough period of time has elapsed, these fake profiles will have proliferated between data scraping companies so many times that the information looks as legitimate as the real executive’s profile. This, in turn, causes the fabricated profile to start showing up in searches when individuals search by title.
Krebs on Security recently posted about how several fake CISO profiles for well-known companies exist and how these are the profiles that are returned by Google when asked “who is the CISO for company X?” At its surface, this may seem like nothing more than a minor nuisance. Considering the fact that most people trust the data set they obtain from people search sites and other professional LinkedIn profiles, it’s not much of a stretch to see that the threat actors in command can easily socially engineer other members of the platform.
One of the more insidious aspects of this type of threat is that the threat actors don’t necessarily even have to make the first move in order to socially engineer someone. If someone goes to LinkedIn or Apollo.io and searches for an individual and are seeded a fake profile in return, that user may unknowingly attempt to connect with and reach out to a threat actor under the auspice of them being a high-level executive. When in fact, they are reaching out to someone who will likely attempt to extricate any privileged data they can.
This proves the value of certainty in knowing who you are connecting with on social media. Always be mindful of the data you’re sharing and with whom you are sharing it. The proliferation of professional social media platforms, like LinkedIn, have done wonders to allow open communication between individuals and employees across all industries. In doing so, though, another pandora’s box of social engineering techniques has been opened, backed by threat actors who will stop at nothing to scam individuals.
The ivision security team can help your business recognize and respond to these kinds of bad actors. We’ll work with your team to identify signs of social engineering and how to implement more personal security best practices that will save individuals and businesses a lot of grief. Get in touch below to get started!