LinkedIn has become a popular destination for threat actors trying to communicate with people for a variety of purposes, such as distributing malware, cyberespionage, credential stealing, financial fraud, etc. One common approach to using LinkedIn by cyber criminals is to approach people using fake profile claiming to be a recruiter working at technology, defense, or media companies. The North Korean-sponsored group Lazarus often engaged in these kinds of activities in order to propagate malware .
In an effort to mitigate some of these schemes, LinkedIn is beginning to implement a number of security features with the hope that utilizing fake profiles will be less effective for instigating attacks. A summary of the changes is that they will start displaying more information about profiles to users, actively seek out fake profiles with AI, and warn users about suspicious messages. In terms of how LinkedIn is showing more information to users, they are adding an “about this profile” feature to user profiles . A glimpse of this can be seen below in Figure 1. This feature shows when a profile was first created, when it was last updated, and whether the user has verified a phone number and/or work email. This can be valuable information to have when deciding if you should consider communicating with others through LinkedIn.
Figure 1. Showing the new “About this profile” section (source: LinkedIn)
In addition to the added information being shown about profiles, LinkedIn is also taking note of the remarkable improvements in AI generated imagery and are developing deep learning models to detect such images. Setting aside the current ethical and legal controversies currently surrounding AI imagery, using AI generated images can make fake profiles appear more legitimate. LinkedIn’s new models will be checking profile photos for image artifacts associated with these types of images in an attempt to identify potentially fake profiles .
Another change that is taking place is the addition of warnings to LinkedIn messages. Specifically, users will now begin to see warnings if messages contain content that has been deemed high-risk . For example, a user may see warnings in messages that appear to be trying to move the conversation to an external site. An example message can be seen below in Figure 2. There are certainly other “high-risk” aspects of nefarious messages that may receive warnings but attempting to lure a user a way from LinkedIn is worthy of note here because that is a common tactic in many cases of attack, especially since distributing files is often needed to execute an attack. With the Lazarus attack mentioned previously, threat actors would attempt to lure users into WhatsApp for malware delivery . These changes also include the ability to report messages or mark them as safe.
Figure 2. LinkedIn message with warning (source: LinkedIn)
In summary, LinkedIn is looking to cut down fraudulent activity on its platform by implementing a few security updates. These updates are:
- A new “about this profile” feature, which allows users to see more information about a profile, such as when it was created and last updated.
- Using deep learning models to identify potentially fake profiles through their profile images.
- Implementing a warning system in LinkedIn messages so users can be more aware of potentially dangerous messages.
Even with these updates, it is important for users to keep in mind a few warning signs that may indicate fraudulent activity. Thus, users should consider reporting users if they are seeing any of this behavior :
- Asking for money, cryptocurrency, or gift cards.
- Posting jobs that seem too good to be true, or jobs that require upfront payments.
- Sending messages with romantic gestures or bad grammar.
- Profiles with abnormal profile images or incomplete work history
- Profiles with no connections in common
About Red Sky Alliance
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings