.webp)
LinkedIn, the widely recognized social networking platform developed for professional connections and career growth, has a hidden dark side: It has become a prime destination for threat actors seeking to gather intelligence about potential victims. With more than 875 million registered users, LinkedIn has become a vast repository of personal information and the ideal resource for threat actors to mine valuable information.
Threat actors actively scrape profiles from LinkedIn. This information about targeted individuals and companies serves as the foundation of meticulously tailored cyberattacks. LinkedIn’s wealth of personal details—ranging from full names and job titles to company affiliations and contact information—has become a potent attraction to threat actors.
Job postings, employee updates, company announcements, and recruitment details form a pool of intelligence that enables nefarious actors to identify potential high-value targets within an organization. Job descriptions reveal the software, platforms and technologies used by organizations, aiding attackers in planning cyber-attacks. The connections and relationships within an organization enable bad actors to decipher a company’s structure.
LinkedIn has been leveraged and targeted by threat actors in various security incidents. Notably, the North Korean nation-state threat actor known as the Lazarus group engaged in cybercriminal and espionage operations using LinkedIn to search for cryptocurrency industry jobs and to initiate contact with prospective victims through its messaging system. Nobelium, in 2021, exploited a Safari zero-day vulnerability to launch a spear phishing attack on marketing and HR professionals via LinkedIn. The objective of this “DuckTail” exploit was to gain control over Facebook Business Accounts for malicious advertising. As recently as February 2023, the exploit of an unidentified threat actor exposed information from 500 million LinkedIn profiles, including full names, email addresses, phone numbers, and workplace details.
Phishing attacks are prevalent on LinkedIn, exploiting the wealth of personal information available on users’ profiles. These scams are often initiated through LinkedIn’s messaging system. The information gleaned is used in phishing emails to the employee or leveraged across other communication channels. Threat actors often craft fake profiles that appear legitimate, even though LinkedIn has implemented mechanisms to detect and terminate such accounts. Despite LinkedIn’s efforts, threat actors continue to exploit the platform, emphasizing the need for vigilance and awareness among users.
Job recruiters are often impersonated—a tactic that is especially effective with users who are dissatisfied with their current job or are seeking new opportunities. To build trust, threat actors may engage in conversations, weave fictitious narratives, or send messages containing malicious links or attachments. When users click these links, they’re redirected to counterfeit login pages, where threat actors can proceed to steal their login credentials.
While bad actors often conduct reconnaissance manually, they can also collect valuable information using Open-Source Intelligence (OSINT) tools, including:
LinkedIn2Username:
This tool analyzes company subdomains to find examples of company email addresses. It then correlates these with full names on LinkedIn to provide a list of company usernames and emails.
Email2phonenumber:
This tool generates prospective phone numbers based on a country’s phone numbering plan and format, and systematically generates and tests different phone numbers to find valid ones associated with email addresses (aka brute forcing).
Exposed phone numbers across different platforms provides threat actors with useful information on their target.
theHarvester:
This tool is used to determine a company’s external threat landscape from a provided domain name or company name.
It gathers information from public sources including email addresses, employee names, subdomains, IPs, open ports, and URLs.
It utilizes multiple APIs and search engines and can take screenshots of subdomains.
Maltego:
This tool searches public data sources (including public information such as DNS records, WHOIS records, social networks, and search engines) to identify relationships among people, companies, and domains.
It can chart and graph large volumes of information.
It helps threat actors uncover connections between employees and the organization’s structure.
Phonebook.cz:
This tool uses website domains or subdomains and returns a list of email addresses associated with it.
Spiderfoot:
This tool gathers information on a target including usernames, email addresses, IP addresses, phone numbers, domain, etc.
It can be used for reconnaissance on a target company’s digital footprint.
IntelligenceX:
This offers OSINT and forensic tools to search for email addresses, IP addresses, domains, data leaks, public websites, Bitcoin addresses, and other types of information.
After thorough analysis of threat actor behavior on LinkedIn, it becomes evident that the platform is increasingly exploited for malicious intelligence gathering. Its professional context and wealth of accessible information make it an ideal hunting ground for threat actors. Unlike other social networks, LinkedIn offers a treasure trove of public data that cybercriminals find enticing. This information, combined with open-source intelligence tools, enables threat actors to strategize and execute attacks—often in the form of phishing. Despite its professional veneer, LinkedIn remains vulnerable, emphasizing its appeal as a prime target for threat actors.
See Safety on Social Media for foundational recommendations on how to protect yourself from these tactics.
On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.
As we conclude our 'ransomware readiness week' of this Cybersecurity Awareness Month, it's time to take a critical look at your organization's defenses. Ransomware attacks are becoming more sophisticated, and no business is immune. In our latest article, we explore essential strategies to bolster your ransomware preparedness. Don't miss this vital information to help protect your business from emerging threats.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
