As cybercriminals continue to refine their methods, it’s crucial for businesses to be vigilant in training employees to recognize social engineering attacks. In our last blog post, we delved into the tactics that hackers use to build profiles of their social engineering attack targets, highlighting the importance of understanding how these attackers operate. In this post, we focus on sharing social engineering examples by zeroing in on attacks that leverage LinkedIn profile attributes. There are a variety of sources that these criminals use to harvest data but for professionals, LinkedIn is often the first stop for attackers looking to gather information about potential targets for the exact same reason B2B advertisers and marketers do — it’s a goldmine of detailed demographic, behavioral, and intent data that can be used to micro-target prospects to drive maximize campaign results.
Examples of Social Engineering Attacks Using LinkedIn Profile Attributes
With a handful of common attributes found on LinkedIn, we have prepared just a few of the most common examples of social engineering attacks. Using “Jane Doe” or similar pseudonyms, “Acme Corporation”, and “Job Role” as 3 of the attributes, here are several highly personalized attack examples that are used with considerable effectiveness. The attack vectors are email and text as both of those data points can easily be uncovered by using a lookup to one of several public databases. The primary goal for any of these examples is to gain access to one or more employee email accounts for Business Email Compromise (BEC) attacks against other targets, or to gain direct access to an organization’s systems.
Social Engineering Attack Example #1:
Attacker’s Objective: To get the target to click on a link which performs a malware download to monitor/log with the intent of gaining access to sensitive corporate systems.
Scenario: Acme Corporation has a job posting. Jane Doe, a Human Resources Manager, has a contact named John Smith. Jane has posted she will be attending an HR Conference in her industry.
Jane receives the following email message from an attacker who is impersonating one of her legitimate connections.
Hello. I see Acme is recruiting for a position which my niece, who graduated with honors from M.I.T., seems to be qualified for and is interested in. You can find her resume linked here hxxp://phishinglinkposingasresume[.]com. Let’s try to connect at the upcoming Materials Management HR Conference.
Thanks very much,
Similar scenarios attempting to get a user to click a malicious link commonly feature an attacker posing as a job candidate sending in a resume, posing as an event organizer with an invitation to speak at a conference, impersonating a colleague that may have attended the same conference offering to share notes from some of the sessions, and so on. The potential scenarios are endless and any one of them is plausible based on a few high-level details gathered from a LinkedIn profile.
Social Engineering Attack Example #2
Attacker’s Objective: To get the target to login to a corporate system through a spoofed page to phish the user’s credentials.
Scenario: Since Covid, Acme Corporation has frequently updated its Employee Handbook with changes that relate specifically to remote worker policies. Each time the handbook is updated, Acme requires all employees to sign an acknowledgement of receipt to confirm they have received and reviewed the updated employee handbook.
An attacker posing as Jane, sends an email to all employees for which they have scraped email addresses, with a notice to review and sign an acknowledgement of the handbook by the end of the week. The email contains a word document that summarizes the specific updates to the employee handbook and includes a link that prompts the user to click to acknowledge. Upon clicking the link, the user is directed to a fake login page where it appears they need to login to sign. Once a user enters their credentials, the attacker has what they were after and moves on to the next phase of their attack.
Social Engineering Attack Example #3
Attacker’s Objective: To hijack a user’s sign-in session, intercept the user’s password and session cookie, and then get authenticated to a session on the user’s behalf via an Adversary-in-the-Middle (AiTM) attack. The goal is to gain access to that user’s mailbox which is then used to launch subsequent BEC campaigns against other targets. (AiTM)
Scenario: This scenario could be exactly the same as example #2This could be the same scenario as example #2 that uses the guise of acknowledging an updated employee handbook. Although the tactic the attacker uses requires an elevated level of sophistication to circumvent any 2FA/MFA security protocols in place.
Social Engineering Attack Example #4
Attacker’s Objective: To get the target to call a (fake) phone number and divulge bank account details or other sensitive information over the phone.
Scenario: Acme Corporation announced an exclusive deal with partner corporation GlobeX to become the company’s exclusive widget provider. News of the deal is announced with a press release and numerous employees share the announcement and congratulate those involved in the deal, one of whom is top executive Jim Jones. Attackers are quickly able to identify Sally Smith as the employee in charge of accounts payable in the finance department of Acme and see she is connected to Jim.
Sally receives the following text message that appears to come from Jim:
Would you please call Jane Roe at GlobeX to get us set up as a vendor? They need banking information as soon as possible to ensure we receive payments per the details outlined in the partnership. Her direct phone number is 555-555-5555. Thanks!
As shown by the examples above, the emails and texts they use to bait their victims into clicking a link, opening an attachment, or calling a number are not that complicated. If you find yourself thinking you would never fall for one of the social engineering example above, consider that attackers use the same principle of micro-targeting as marketers do and they only need to leverage a few key details to send the right message, to the right person, at the right time using exactly the right context to prompt a response.
For reference, all of the available attributes of a LinkedIn profile (taken directly from the LinkedIn help section) are shared below.
- Introduction section. The top section of your profile that displays details of your current personal and professional status including your name, profile image, background photo, headline, current position, education, location, industry, contact info, summary, and whether you are open to finding a new job, hiring, or providing services. This section alone can give an attacker everything they need to know to formulate a convincing phishing message — especially if they know you are receptive to communications regarding hiring or seeking employment opportunities.
- Experience – Professional positions and experience, including jobs, volunteering, military, board of directors, nonprofit, or pro sports.
- Education – School and educational information.
- Licenses & certifications – Certifications, licenses, or clearances you’ve attained.
- Skills – A relevant list of skills on your profile helps others to understand your strengths and improves your likelihood to be found in others’ searches.
- Recommendations – You can request professional recommendations from your peers.
- Courses – Adding your body of coursework can help your education to stand out.
- Honors & Awards – Show off your hard-earned awards.
- Languages – Languages you understand or speak.
- Organizations – Show your involvement with communities that are important to you.
- Patents – Any patents you’ve applied for or received.
- Publications – Publications that have featured your work.
- Projects – Showcase the projects you’ve worked on, along with team members.
- Test Scores – List your scores on tests to highlight high achievement.
- Volunteer experience – Highlight your passions and how you have given back.
The social engineering examples we shared were pretty basic and some of the most common. But consider the amount of data that is shared in your own LinkedIn profile that allows for micro-targeting and imagine what an attacker might be able to use in a message that you would fall for. Do you have certifications that require annual renewals? Continuing education requirements? Do you participate in professional associations, mentorship programs, or other volunteer opportunities?
While there are, undoubtedly, plenty of the novice attackers trolling for easy opportunities to victimize one target at a time, the larger cybercriminal organizations have operationalized social engineering to take these micro-targeted attack examples and use those as templates to scale their attacks against the wide market of LinkedIn’s 750 million professionals. It only requires catching one person off guard for an attacker to get their foot in the door and then launch the next phase of the attack to go after the big payout. We’ll explore this topic in the next blog post of the series.
Spear Phishing at Scale: AI-Fueled Social Engineering Attacks