Ah, LinkedIn! It’s known as one of the best ways to connect with potential employers and grow your career prospects. Some even say that it’s replaced the on-paper resume, pushing the entire job market to the online arena.
But there is a darker side to LinkedIn. Malicious actors from other countries are using LinkedIn to check out your profile, but they definitely aren’t planning on offering you a job. Instead, they are digging for corporate and government secrets for espionage purposes.
While there is no doubt that all of your social media channels are being scrubbed of information by someone, LinkedIn offers a unique opportunity to foreign agents looking to gather valuable information. Specifically, information that could be used to facilitate corporate espionage.
LinkedIn doesn’t just show connections with friends and family (although it does do that), but it also shows someone’s rank in their organization. This makes it much easier for countries like China to track down those who are disgruntled with their job and recruit them. Rather than having to spend resources to groom a single employee, LinkedIn offers these countries a way to connect with thousands of potential targets in seconds.
As the purpose of LinkedIn is to act as an online resume, users generally put all of their prior experience up on their profile. This allows malicious actors to track someone’s entire career trajectory. If someone is a government official looking for a higher-paying job in the private sector, China will be able to see every agency they ever worked for, and even guess their security clearance level.
How Does This Impact You?
Imagine that you’re a high-powered executive working for an organization. You have a LinkedIn profile, but rarely use it. You might want to do a search for your own name as there could be several other LinkedIn profiles out there, all pretending to be you.
By doing this, those fake profiles can connect with individuals in your organization, possibly soliciting information from them. If you ever find someone pretending to be you, report that profile to LinkedIn immediately. They should act in short order to take that profile down.
Recently, there was a story on CNBC about a LinkedIn scam that managed to get around the security of an entire company. Thankfully, this was a scam “perpetrated” by a cybersecurity firm hired to shore up the company’s cyber defenses. A beautiful actress was hired to act as a model for a fake LinkedIn profile. This fake profile, which was set up as brilliant MIT graduate, started to make as many connections with employees as possible. Once they had amassed enough, they changed the name of the employer on the account to the targeted company. Then, at Christmas time, the fake profile sent out a “holiday card” containing a link to malware to every executive in the organization. Every single one of them opened the link. If that was a real hacker, then they might have gotten full access to the company’s systems. Terrifying!
What About Your Data?
“Ok,” you might be saying, “That’s all well and good, but I’m not going to be fooled like that. And there is no way I’m going to be recruited into a foreign intelligence agency. So, what does this matter to me?”
Social engineering hacking is a growing field of concern in cybersecurity. Using information easily scrubbed from social media accounts, social engineers can use telephone tech support to gain access to your accounts. After all, think about the “security” check done to verify your identity when you call a company on the phone. They often just ask for your birthday and your zip code, both easily obtainable pieces of information taken from public social media profiles.
Now, imagine what social engineers could do with all of the data contained on your resume? Every place you’ve ever worked, every job you’ve ever held, and a massive list of people that you know? The damage done could be incalculable.
What Can Be Done?
Surely large-scale companies could do something about this. After all, it’s their service. But unfortunately, many of them are sitting around, hoping someone else will solve their problems for them. When asked if companies are taking the threat seriously, former FBI counterintelligence operative Eric O’Neill said, “Some of them have said, it’s not our job to stop this, we pay taxes to the government to solve it. You guys figure it out. But the danger is the government will solve it with regulation, and that’s a worry because it depends on the government.”
While LinkedIn, at least, seems to be trying their best to clamp down on the issue, cybersecurity is a constantly moving target. Bad actors are constantly creating fake accounts to mislead those who are simply looking for a job. LinkedIn says that it took down 21.6 million fake accounts between January and June of 2019 alone. That should give you a sense of the scale of the problem.
The only way to be safe is to know exactly how much information and data is online about you, then remove information that can be used to for spying purposes, and/or to compromise your privacy and personal security. With our Personal Data Scan OSINT services, we can scan the public information about you posted on LinkedIn, other social media services and the Internet and provide a report. If there is any information that could be used for spying purposes and/or to compromise your privacy and personal security, we can help you to remove the information from the Internet.
If you’d like to learn more about some of the significant security challenges that are facing both businesses and governments today, check out the ComSec blog. And if you’re concerned about electronic eavesdropping at your organization, we can help with our corporate Assurance Option Counter Espionage Services. Contact us today to learn more about how you can protect yourself and your business!
About the Author:
J.D. LeaSure, CCISM, is the President / CEO of ComSec LLC, a global provider of world class counterespionage and TSCM / Cyber TSCM™ services. www.ComSecLLc.com