LinkedIn is great… Until it isn’t.
Many of us take advantage of social media services like LinkedIn. So it’s not surprising that social engineers take advantage of social media users. Here is a quick cautionary tale that is a great reminder of our potential vulnerability, and also illustrates an easy and highly effective way to avoid being phished.
A Successful LinkedIn Spoofing Email
We were recently asked to conduct a security assessment for a small manufacturing firm. Their corporate AMEX card had been compromised and they were concerned their network had been “hacked.”
While their network security had “room for improvement,” we did not find any evidence of compromise. Suspecting they may have been victims of a phishing attack, we reviewed the email logs for the impacted employee and interviewed the employee to get a sense of his email practices and overall phishing awareness.
The employee was moderately phishing/social engineering aware, but was an avid user of LinkedIn and “didn’t think it was really possible” for LinkedIn emails to be spoofed. It turned out he had received a well-constructed phishing email indicating there was a problem with his LinkedIn account. The phish included a hyperlink that directed him to a fake LinkedIn website, where he provided the credit card information he used to create the account to “verify his credit card in order to keep his account in good standing.”
How to Avoid Clicking Bad Links From LinkedIn
The easiest way to deal with any email message from LinkedIn—or any other account—directing you to login is to delete the message. Don’t click the link in the email! Then, log into your account directly to see whether the invite, message or account inquiry is legitimate.
Best practice: Never ever click on a link in any email of this type.
For more information, read more of our phishing prevention posts, or contact Pivot Point Security.