'Spear phisher' proves why you should be skeptical of LinkedIn updates

Powered by SC Magazine
 

Trusteer experiment found half of social networkers would go to a landing page if asked.

A recent spear phishing experiment led to half of a targeted audience reaching a specifically designed landing page in 48 hours.

Trusteer admitted that it picked 100 LinkedIn users, created a new identity and sent a fake job alert.

It said: “Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets we crafted a fictitious new job alert. We chose one of their LinkedIn connections and announced that this person was now working for a company that directly competes with our victim's company.

“We included a big button ‘View [friend's name] new Title' and we also included the friend's photo. Clicking on the button redirects the victim to a different website, not LinkedIn. The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim's computer.”

It confirmed that the targets were people it knew, including friends and family, who it estimated to be fairly educated about security. They were asked for their permission to take part in a security experiment that would not in any way put them at risk, without telling them what it was testing and how.

The message was sent to all 100 subjects on a Tuesday morning and within 24 hours, 41 subjects had reached the landing page. Within 48 hours 52 subjects had reached the landing page and within seven days, 68 subjects had clicked through.

Trusteer said that the time invested in building this project was 17 hours. It approached the 32 subjects who did not reach the landing page and asked why they did not click on the link. Sixteen said they had not seen the email, seven said they usually do not read LinkedIn updates, while nine said that the update was not interesting enough for them to click the link.

Mickey Boodaei, CEO of Trusteer, said: “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer, but in this case education did not prevent the attack.

“The solution to this problem must be based on technology and probably using more than one method. Based on these findings, we strongly recommend that organisations re-evaluate their approach to targeted attacks since they represent, as we witnessed in recent breaches, the most dangerous type of threat to their business.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Business-focused Windows 10 brings back the Start menu
Microsoft skips 9 for the "greatest enterprise platform ever".
 
Feeling Shellshocked?
Stay up to date with patching for the Bash bug.
 
Amazon forced to reboot EC2 to patch Xen bug
Rolling restarts over next week.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  66%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1366

Vote