I’m sure we’ve all seen the fake Facebook profiles by now….something along the lines of an invite from an attractive young woman with wall posts related to some “hot new pics” that she just took. Sure, you have to click on the link to see the pics, which then promptly redirects the browser and attempts to exploit some vulnerability on your machine and install malware. But what about the profiles that do little else than, 1.) appear to be legit, 2.) ask to be connected to you, and 3.) do nothing else (or so you think)?
Being a security professional I’m always a bit skeptical when I get an invite to connect with someone on LinkedIn and a few things throw up red flags when I review the profile. Do you live near me? Do you work for a client of mine? Did we go to the same school? And most importantly, do we have any connections in common? Being that security is a fairly small community I would find it odd that you know me but don’t know anyone else that I know.
Last week I received an invite from someone in NY who is working as a senior information security consultant for a big name firm. Interesting, but we didn’t have any connections in common and I didn’t know the person so I let it sit in my inbox for later review. This week I received another similar invite from someone in NY, with a similar title working for another big name company. One thing that caught my eye was the year the person graduated college. While I have a decent ability to remember names my brain has been wired in such a way that numbers tend to stick. So when I noticed they both had a MS in Computer Science and graduated in 2000 I became a little suspicious. Looking back at the previous invite I noticed they had the same title, during the same period of time, and only the company name was different. A review of these two prompted some further research. Here is what I found:
The fake profiles, 15 in all, used to mine your connections and probably map the infosec community, may have been generated by a script. But possibly not as there are some oddities with some of the profiles that make them appear to be created by hand…either way, someone had some time or they suck at scripting. Regardless, if you get an invite to connect on LinkedIn here are some things to look for:
Location:
Current Title:
College years:
Schools used (all with a major of MsC in Computer Science):
Current position description:
Job titles (seem to be randomly paired with a company):
Organizations/Companies:
Profile Names (** means they used the 1996-2001 grad years):
Yes, you may have noticed I have access to some of the last names…and that is because someone that is connected to me has accepted one of these fake profiles as a connection. I’m actually upset that I didn’t think of this. What better way to map the security resources at various companies? I started wondering a while ago if we could use the API to script a pull of public data and then do some quick analysis to see where everyone ends up once they leave a particular company. Maybe that is already happening?
Finally, I’ll let you figure the impact out, but these fake profiles have between 80 and 476 connections with an average of 321 per profile.
This post is only meant to shed some light on the data mining issues within LinkedIn specific to the InfoSec community. I’m sure this is happening in other fields as well…so if you’ve seen this please post in the comments section.
Comments