'Spear phisher' proves why you should be skeptical of LinkedIn updates

Powered by SC Magazine
 

Trusteer experiment found half of social networkers would go to a landing page if asked.

A recent spear phishing experiment led to half of a targeted audience reaching a specifically designed landing page in 48 hours.

Trusteer admitted that it picked 100 LinkedIn users, created a new identity and sent a fake job alert.

It said: “Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets we crafted a fictitious new job alert. We chose one of their LinkedIn connections and announced that this person was now working for a company that directly competes with our victim's company.

“We included a big button ‘View [friend's name] new Title' and we also included the friend's photo. Clicking on the button redirects the victim to a different website, not LinkedIn. The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim's computer.”

It confirmed that the targets were people it knew, including friends and family, who it estimated to be fairly educated about security. They were asked for their permission to take part in a security experiment that would not in any way put them at risk, without telling them what it was testing and how.

The message was sent to all 100 subjects on a Tuesday morning and within 24 hours, 41 subjects had reached the landing page. Within 48 hours 52 subjects had reached the landing page and within seven days, 68 subjects had clicked through.

Trusteer said that the time invested in building this project was 17 hours. It approached the 32 subjects who did not reach the landing page and asked why they did not click on the link. Sixteen said they had not seen the email, seven said they usually do not read LinkedIn updates, while nine said that the update was not interesting enough for them to click the link.

Mickey Boodaei, CEO of Trusteer, said: “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer, but in this case education did not prevent the attack.

“The solution to this problem must be based on technology and probably using more than one method. Based on these findings, we strongly recommend that organisations re-evaluate their approach to targeted attacks since they represent, as we witnessed in recent breaches, the most dangerous type of threat to their business.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1802

Vote
Do you support the abolition of the Office of the Information Commissioner?