'Spear phisher' proves why you should be skeptical of LinkedIn updates

Powered by SC Magazine

Trusteer experiment found half of social networkers would go to a landing page if asked.

A recent spear phishing experiment led to half of a targeted audience reaching a specifically designed landing page in 48 hours.

Trusteer admitted that it picked 100 LinkedIn users, created a new identity and sent a fake job alert.

It said: “Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets we crafted a fictitious new job alert. We chose one of their LinkedIn connections and announced that this person was now working for a company that directly competes with our victim's company.

“We included a big button ‘View [friend's name] new Title' and we also included the friend's photo. Clicking on the button redirects the victim to a different website, not LinkedIn. The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim's computer.”

It confirmed that the targets were people it knew, including friends and family, who it estimated to be fairly educated about security. They were asked for their permission to take part in a security experiment that would not in any way put them at risk, without telling them what it was testing and how.

The message was sent to all 100 subjects on a Tuesday morning and within 24 hours, 41 subjects had reached the landing page. Within 48 hours 52 subjects had reached the landing page and within seven days, 68 subjects had clicked through.

Trusteer said that the time invested in building this project was 17 hours. It approached the 32 subjects who did not reach the landing page and asked why they did not click on the link. Sixteen said they had not seen the email, seven said they usually do not read LinkedIn updates, while nine said that the update was not interesting enough for them to click the link.

Mickey Boodaei, CEO of Trusteer, said: “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer, but in this case education did not prevent the attack.

“The solution to this problem must be based on technology and probably using more than one method. Based on these findings, we strongly recommend that organisations re-evaluate their approach to targeted attacks since they represent, as we witnessed in recent breaches, the most dangerous type of threat to their business.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition

Top Stories
Inside the stalemate on Australia's piracy code
Still not registered almost five months on.
IT staff outline deep anger in Macquarie Uni survey
‘Morale at lowest point in a decade’.
Cost blowout to push NBN past $41bn budget
But government funding cap to remain.
Sign up to receive iTnews email bulletins
Latest Comments
New Windows 10 users, are you upgrading from...

   |   View results
Windows 8
Windows 7
Windows XP
Another operating system
Windows Vista