'Spear phisher' proves why you should be skeptical of LinkedIn updates

Powered by SC Magazine
 

Trusteer experiment found half of social networkers would go to a landing page if asked.

A recent spear phishing experiment led to half of a targeted audience reaching a specifically designed landing page in 48 hours.

Trusteer admitted that it picked 100 LinkedIn users, created a new identity and sent a fake job alert.

It said: “Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets we crafted a fictitious new job alert. We chose one of their LinkedIn connections and announced that this person was now working for a company that directly competes with our victim's company.

“We included a big button ‘View [friend's name] new Title' and we also included the friend's photo. Clicking on the button redirects the victim to a different website, not LinkedIn. The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim's computer.”

It confirmed that the targets were people it knew, including friends and family, who it estimated to be fairly educated about security. They were asked for their permission to take part in a security experiment that would not in any way put them at risk, without telling them what it was testing and how.

The message was sent to all 100 subjects on a Tuesday morning and within 24 hours, 41 subjects had reached the landing page. Within 48 hours 52 subjects had reached the landing page and within seven days, 68 subjects had clicked through.

Trusteer said that the time invested in building this project was 17 hours. It approached the 32 subjects who did not reach the landing page and asked why they did not click on the link. Sixteen said they had not seen the email, seven said they usually do not read LinkedIn updates, while nine said that the update was not interesting enough for them to click the link.

Mickey Boodaei, CEO of Trusteer, said: “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer, but in this case education did not prevent the attack.

“The solution to this problem must be based on technology and probably using more than one method. Based on these findings, we strongly recommend that organisations re-evaluate their approach to targeted attacks since they represent, as we witnessed in recent breaches, the most dangerous type of threat to their business.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
IBM, NEC picked for major NSW Transport deals
Final contract negotiations begin.
 
Govt proposes crackdown on ISPs over piracy
Wants new legal powers for copyright industry.
 
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  30%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1016

Vote