Professional social networking site LinkedIn has proven to be a valuable business tool, bringing together professionals from all over the world. But few corporations grasp the security risks that the use of LinkedIn represents. The main problem is not with the LinkedIn website’s own digital security but with a widespread corporate ignorance of the way the organised criminal gangs (OCGs) who make billions, sometimes tens of billions of dollars, from cyber crime work.
The hackers are now using well-known brands names such as Standard Chartered Bank on LinkedIn to attract senior executives to divulge information that they can use. It’s all very plausible unless you know what to look for.
Using a process called ‘social engineering’, OCGs assemble as much information via the Internet as they can on a target subject within an organisation that has been identified as likely prey. LinkedIn is proving a rich vein for OCGs. Executives have become too cavalier about posting details of their movements and personal information on LinkedIn. What’s more, it is not uncommon for passwords take the form of the name of a sports team, a pet or other personal details. But even if the target has been careful to use a more complex password, his or her organisation’s most sensitive data might still be at risk. For example, details of business trip dates combined with personal details such as a recent illness or family names can be all an OCG needs to socially engineer a ‘Friday Afternoon’ attack.
Typically, this would take the form of an email, phone call or possibly a combination of the two in order to convince someone at the company that an important executive is making an urgent request. Sometimes, this is a straightforward scam where the end goal is a money transfer to a third party account.
But a quick financial hit is by no means the worst occurrence. Sometimes, the request may not be for cash but for passwords or access to sensitive data. This data may then be ransomed back to the company for a huge non-negotiable fee, sold to competitors or simply put up for sale on the Dark Web. In this scenario, the company may remain blissfully unaware it has been hacked for months or even years.
So far, in the UK this combination of psychological and technological techniques to access personal information is mainly being used to target law firms. The reason is thought to be that many law firms are hierarchical and if a senior partner emails the finance department to ask for a money transfer it generally has to be done swiftly and without question.
But this does not mean that organisations working in sectors other than law or healthcare have any room for complacency. OCGs have a tendency to target what they see as “low-hanging fruit” first, before adapting their new offensive strategies to those organisations which have sensitive data and security systems that can be breached fairly easily. There is, therefore, little doubt that companies working in other sectors are probably already being targeted by OCGs.
As with the ‘Friday Afternoon’ attacks taking place on banks and legal firms, social engineering will play a crucial part in future cyber attacks on a wide spectrum of industries and businesses. What it comes down to, is that the only real safeguard is to educate all staff that all social networks are potential minefields and that, under no circumstances, should they discuss confidential company information or reveal personal details that could be used by an OCG to socially engineer a cyber attack.
Stuart Poole-Robb, Chief Executive of Business Intelligence and Cyber Security Adviser, KCS Group
