October 31, 2013

LinkedIn Lure Looking for Love-ly Profiles, Possibly More

Carl Leonard Principal Security Analyst

Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified a LinkedIn profile configured to use social engineering techniques in order to target fellow LinkedIn users.  Here at Websense we refer to The 7 Stages of Advanced Attacks.  This model of describing the kill chain discusses Stage 1: Reconnaissance - the act of uncovering information that will facilitate the attacker to conduct a later, more successful attack .  We believe that this particular campaign may be a precursor to a more specialized targeted attack.

Executive Summary

The highlights of this discovery are:

  • Evidence indicates a reconnaissance phase is being conducted by the actors.
  • Websense telemetry across the 7 Stage life-cycle, collected over many years, provides valuable insight to connect the dots in such attacks that operate as a precursor to more sophisticated attacks.
  • The targeting method uses existing features of the LinkedIn social network to pin-point LinkedIn users that meet the scammer's requirements.
  • The LinkedIn profile is actively engaging with legitimate LinkedIn members, and currently has just over 400 connections.
  • The destination website is hosted on the same ASN as sites known to host exploit kits and possibly illegal websites.
  • Current payload leads to a dating site.  While social engineering is primarily being used here, this could morph into something more nefarious over time.

How does the profile interact with LinkedIn users?

It appears the profile is being actively used to view the profiles of intended targets.  Any LinkedIn user can see the most recent 5 users who have viewed their profile, and most users are keen to understand who may have done so.  This is the method employed by the attacker to entice LinkedIn users to view their profile.  LinkedIn currently has over 259 million members so the potential number of targets is vast. 

The screenshot below shows how a profile view would look to a LinkedIn user:

Why would an attacker use LinkedIn?

Search features within the social network provide an easy way for scammers and legitimate LinkedIn users to zoom in on their target audience.  Whether you are a recruiter looking for potential candidates, a dating scammer looking for "mature gentlemen", or an advanced attacker looking for high-profile directors within particular industry sectors, LinkedIn users have access to tools to help refine their search.  LinkedIn's own statistics report that 5.7 billion searches were conducted on the social network in 2012.

Notice that the offending profile is a subscriber to LinkedIn's Premium Account service.  This feature has numerous benefits over and above the Basic Account service.  Basic search filters include Location, Industry, and Profile Language.  When a user upgrades to a Premium Account search filters expand to include Function, Seniority Level, and Company Size. All of these could be used by an attacker to select their particular target based on their objectives.

Note that features of the Premium Account also facilitate a greater degree of interaction with targets.  Should a target view the scam profile, the scammer can then see that, for all views.  The scammer could also contact any LinkedIn member and search across a greater number of profiles.

The Payload

At the time of writing this blog, the summary of that profile reads as a link to a dating website geographically located in Switzerland and hosted on IP 82<dot>220<dot>34<dot>47.

Notice that the profile of the scammer also shows the location as Switzerland, although that could easily have been faked.

In this case we believe that the dating site is used merely as a lure. The dating site looks like this:

At the time of writing no malicious code exists on this dating website, but we do have telemetry revealing that other domains on that same IP have been known to host suspicious code such as blackhat SEO.  We also see that IPs used to host the dating site are hosted within the same Autonomous System Number (ASN) as multiple Exploit Kit Command and Control URLs, including RedKit and Neutrino exploit kits.


This particular profile, although not currently directing LinkedIn users to malicious code, is likely to have been set up to gain connections and harvest intelligence.

Information relating to current employer, job titles, connections within the social network, and technology skills could be used by attackers to better enhance their chance of success in more targeted attacks outside of the LinkedIn network.

Websense offers protection from the dating site mentioned in this blog, as well as the reference exploit kits, via ACE, our Advanced Classification Engine.

Note: Websense Security Labs has reported the offending profile to LinkedIn.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.