Iran-Based Hacking Crew Uses Fake LinkedIn Profiles In Espionage Attacks (secureworks.com)

← Back to Stories (view on slashdot.org)

Iran-Based Hacking Crew Uses Fake LinkedIn Profiles In Espionage Attacks (secureworks.com)

Posted by timothy on Friday October 9, 2015 @12:10AM from the resume-warfare dept.

An anonymous reader writes: The Iranian hacker group Cleaver has been directing a cyber spying campaign at bodies in the Middle East across a network of fake LinkedIn accounts. It is thought that the threat actors were using the professional platform to gather intelligence using six 'leader' profiles, each with over 500 connections, and a collection of 'supporter' accounts. According to Dell researchers, recruitment advertisements and skill endorsements from 'supporter' accounts were used to boost credibility. Perhaps they're after the New Yorker crowd, too.

41 comments

Min score:

Reason:

Sort:

LinkedIn by Anonymous Coward · 2015-10-09 00:14 · Score: 1

Is that the one that set up a ghost account for me and spammed my email that people wanted to connect to the profile I didn't even know I had?
Yeah, fuck those guys.
1. Re: LinkedIn by Anonymous Coward · 2015-10-09 00:22 · Score: 0, Informative
  
  When making an account, LinkedIN asks to access your contact list of yoy email programs. Opting out is a real pain in the ass and most people allow probably because they not ready all the terms.
  Real sleazy on LinkIN's part.
  And then there's the ability of people to look at your account anonymously and there is no explanation apparent on LinkedINs website.
  Since employers - just recruiters - use the site, I deleted my account - it has made no difference in my career.
  I still get emails from people I don't even know.
  LinkedIN is Facebook now.
2. Re: LinkedIn by Anonymous Coward · 2015-10-09 02:09 · Score: 1
  
  But here's the catch. I didn't even set up an account. Unless someone did so in my name and I was unaware, or maybe I was really blitzed one night and made one and can't remember. But both of those are extremely unlikely.
  From what I understand, someone with me in their email contacts (maybe my dad - thanks dad!) created an account and let it go through their email contacts. LinkedIn then made shadow accounts fot those contacts who aren't on the site, and periodically emailed them saying people want to connect with them on LinkedIn. If I had actually followed the link, it probably would have set up a profile for me. But the fact that I was getting these emails when I know for a fact I never even visited the damn site is just creepy as all hell and left an extremely bad taste in my mouth. Because of this, I will never trust LinkedIn and will never create a profile there.
  The only good thing about LinkedIn is that they let me know what scumbags they are before I wasted my time signing up and using the site. For that, I thank them. Otherwise, they are probably the worst of the social networks, and that really says a lot, given the shit facebook and g+ have pulled.
Social Networks by Anonymous Coward · 2015-10-09 00:15 · Score: 0

Are worth they weight in... vacuum.
They Got Me by Anonymous Coward · 2015-10-09 00:19 · Score: 0

Damnit! They got my account details. Thanks for nothing, Cloud!
Fuckers! by Anonymous Coward · 2015-10-09 00:35 · Score: 0

More fake job listings. It's bad enough that domestic recruiters are getting people's hopes up with non-existent job openings and now this! It's an outrage. My jimmies are... well... slightly ruffled, anyway.
I can't believe that the Iranians could be so cold hearted.
Not surprised ... by gstoddart · 2015-10-09 00:35 · Score: 4, Interesting

I've seen a fair bit of evidence of shady players (most of whom seem to be recruiters) on LinkedIn.
I recently got an invite from someone who had crafted their profile to strongly suggest they had worked at a previous employer, and you had to look pretty closely to realize they didn't. Either he was a shady recruiter, or an even shadier player -- definitely a profile which took me several minutes to look at against who I thought it could me.
I have a fairly firm policy that if I don't know you, I'm not adding you. So all those recruiters who are obviously recruiters get ignored.
But the ones who have carefully crafted a profile to mislead you into thinking it could be someone you know, those are much more worrying. I even saw that one of those misleading ones had been added by someone I did formerly work with, because it was a good enough fake that people would fall for it.
This has always been a problem with social networks in my opinion: if the goal is to collect as many links as possible without actually stopping to think of "just who the hell is this person again?", then people are going to be suckered into linking to people they don't know at all.
So you pretty much have a platform in which people are trying to expand their network, and don't seem to think critically enough about just who those people are and if you really want a random recruiter or someone you don't know in your network. Me, I've pretty much decided that I won't link to people I don't actually know.
So, am I surprised to see stuff like this? Not hardly, because in a lot of ways LinkedIn is as much of a pest on the internet as Facebook and Twitter. And if fooling people into adding you into their network gives you a way to fool more people, it's all the more reason to look at those invites and ask "who the fuck is this and why the hell do I care?".

--
Lost at C:>. Found at C.
1. Re:Not surprised ... by Anonymous Coward · 2015-10-09 00:43 · Score: 0
  
  This has always been a problem with social networks in my opinion: if the goal is to collect as many links as possible without actually stopping to think of "just who the hell is this person again?", then people are going to be suckered into linking to people they don't know at all.
  This is why I have 7 connections on LinkedIn after having been "on" it for 5 years, I just don't add anyone I don't know.
2. Re:Not surprised ... by ArsenneLupin · 2015-10-09 00:47 · Score: 2
  
  Actually, if its recruiters, many people might actually want them (thinking "who knows, I might need him in the future").
  Come to think of it, maybe some of these recruiters aren't actually recruiters, but hackers pretending to be recruiters because that's easier to fake than former colleagues.
3. Re:Not surprised ... by gstoddart · 2015-10-09 01:04 · Score: 3, Interesting
  
  If someone says "I'm a recruiter", then you can choose to add them or not. Me, I don't have any interest in unsolicited recruiters trying to pester me ... I consider them like door to door salesmen or spam; I'm just not interested.
  But, yes, some people do choose to link in recruiters. I personally won't do it.
  This fake that I saw the other week ... it was really hard for me to identify what the heck it was. It was written in such a way as to insinuate he'd worked at a place I knew, but fell just short of stating it .. the more I read it the more I became convinced there was something quite slippery about it. In the end after some pretty careful reading I concluded the profile wasn't what it claimed to be.
  I find it highly unlikely nefarious super hackers are personally targeting me, but if it was a recruiter it seemed like a pretty well crafted way to lie your way into someone's network ... and any recruiter trying that hard to mislead you about who they are isn't someone you should be trusting. At all. Ever.
  So, either it was what I'd consider a really shady recruiter, or some other shady entity.
  Either way, people in general need to have a little more "street smarts", both on the intertubes and in real life. Because, there's an awful lot of humans who are complete bastards and need to be distrusted. Not nearly enough people stop to think "just who the hell is this person and what are their motives?"
  Which is precisely why social engineering and other con artists are so successful.
  Some people think being wary and distrustful is a bad way to live .. me, I have seen enough of crap like this to know that it's better than being someone's mark and realizing you've been ripped off.
  
  --
  Lost at C:>. Found at C.
4. Re:Not surprised ... by Anonymous Coward · 2015-10-09 01:58 · Score: 0
  
  I get a job within minutes of posting looking for new opportunities on linked in because i have a lot of relevant recruiters on my profile! captcha=encroach quite apt?
5. Re:Not surprised ... by Crowd+Computing · 2015-10-09 03:38 · Score: 1
  
  Not hardly, because in a lot of ways LinkedIn is as much of a pest on the internet as Facebook and Twitter.
  
  The big difference is you can safely ignore LinkedIn. Ignoring FB only works if you live in the boondocks or in some weird country like Russia, China or Japan.
6. Re:Not surprised ... by 0xdeadbeef · 2015-10-09 04:31 · Score: 1
  
  I've had one try to "friend" me that was pretending to be a journalist. It looked plausible except for the fact that it used a stock photo that was easily found by image search, and the name couldn't be found on published articles anywhere.
7. Re:Not surprised ... by gstoddart · 2015-10-09 04:42 · Score: 2
  
  It may surprise you to know that tons of people successfully ignore Facebook all the time.
  I have all my browsers set to explicitly not trust facebook at all .. I don't allow their shit to set cookies, run scripts, or track me across the internet. Nada. Zip.
  Actively blocking and not using facebook is an entirely viable strategy.
  If you can't ignore FB, that's your problem.
  
  --
  Lost at C:>. Found at C.
8. Re:Not surprised ... by Anonymous Coward · 2015-10-09 05:32 · Score: 0
  
  This year I relaxed my "if I don't know you, I don't add you" policy and I'm suspicious that some people I added weren't on the up-and-up. However, I never post anything to my profile and I'd never divulge anything even remotely non-public to my profile. So other than feeling a little creeped out, I don't think I have to worry, though I will probably start weeding out some folks.
9. Re:Not surprised ... by Anonymous Coward · 2015-10-09 15:26 · Score: 0
  
  > I get a job within minutes of posting looking for new opportunities on linked in because i have a lot of relevant recruiters on my profile! captcha=encroach quite apt?
  You did seem to be having a problem there with your email. I'm assuming that you're yet another of the hundreds of sweatshop Bangalore recruiters, each pretending to hve a different job for me, most of which are out of state, and any local jobs are for the same 3 positions at a local DOD company that I've already refused and that they've been trying to fill the same position every 3 months for the last 5 years.
  They just *LOVE* the LinkedIn connections. But they don't personally use LinkedIn. Their manager buys the job board scanning services from www.bullhorn.com, sets the keywords as broadly as possible, and just spews the contact email addresses in bulk to bots or to sweatshop workers, whichever is cheaper for them. They don't use *real* LinkedIn accounts for that, except to leverage the searches and hand them off to underpaid suckers or bots to make the cold calls.
So what by aaaaaaargh! · 2015-10-09 00:45 · Score: 4, Interesting

LinkedIn is about the most shady network one could imagine, so it's not surprising that Iranians would use it in addition to the CIA and about every other intelligence agency on the world. Half of what LinkedIn does is probably even plain illegal in most of the countries in which it operates. For Christ's sake, they even ask you for your personal email login password so they can spam all of your email contacts!
1. Re:So what by Anonymous Coward · 2015-10-09 01:15 · Score: 2, Funny
  
  > LinkedIn is about the most shady network one could imagine,
  May I assume that you've never visited 4chan? Or Anonymous? Or experienced Scientology? Or dealt with an outsourced QA department hosted in Bangalore?
2. Re:So what by gstoddart · 2015-10-09 01:24 · Score: 1
  
  Yes, they do ... and if you ever give a website your email address and the password for that email address you should consider yourself a fucking moron.
  But, I think I've seen Facebook do it, I think I may have seen Google do it ... for some reason I will never understand people will do this. They think "oh, awesome, how convenient".
  Why the hell anybody would let an entity like LinkedIn access to their email account is utterly mind boggling to me. Imagine walking into a store and someone just saying "hey, can I look through the contacts in your phone to sign up your friends for our rewards program?"
  Why the hell people think that isn't utterly idiotic on the internet is beyond me. It's like the internet makes people stupid or something.
  And letting some website have direct password level access to your stuff is mind-bendingly stupid.
  
  --
  Lost at C:>. Found at C.
3. Re:So what by Anonymous Coward · 2015-10-09 01:26 · Score: 0
  
  Yes to all of them.
4. Re:So what by Anonymous Coward · 2015-10-09 02:21 · Score: 0
  
  Not everyone is so butthurt about the potential to look stupid as you clearly are..
5. Re:So what by GoChickenFat · 2015-10-09 03:33 · Score: 1
  
  p>Why the hell people think that isn't utterly idiotic on the internet is beyond me. It's like the internet makes people stupid or something.
  The degree of "internet stupid" increased dramatically with smartphones and tablets with everyone giving away their privacy for a "free" app. That idiocy of accepting whatever has carried over into everything on the internet and soon to be fully embedded in all OS's. If you try to avoid this stuff people start looking at you as if you live under a bridge.. "you don't have a facebook account?" "you've never been on instagram?" "you don't play angry birds?". It's like I'm the moron for not being oblivious to the privacy and security give-away.
6. Re:So what by gstoddart · 2015-10-09 04:54 · Score: 1
  
  Not everyone is so butthurt about the potential to look stupid as you clearly are..
  It's not looking stupid which concerns me .. I look stupid fairly constantly. That doesn't bother me.
  But the whole ream of security issues caused by letting a website have the password for your email account absolutely hurts my brain. Under what other circumstances would you hand that password over to anybody? Ideally none, but suddenly a website asks for it and people do it.
  The problem is the internet requires a level of paranoia which doesn't come natural to most people. Failing to assume the internet is constantly trying to fuck you over is a perilous mistake.
  But, make no mistake about it, the internet is a place which does not have your best interests at heart. Which means you have to have a fairly constant mind-set that it's a potentially hostile place.
  
  --
  Lost at C:>. Found at C.
7. Re:So what by Zontar+The+Mindless · 2015-10-09 08:22 · Score: 1
  
  Then you won't mind sending APK your entire address book? C'mon, what could possibly go wrong?
  
  --
  Il n'y a pas de Planet B.
Iran-Based Apping Crew Apps App Apps In App Apps! by Anonymous Coward · 2015-10-09 00:48 · Score: 1

Apps!
Well, at least LinkedIn is good for SOMETHING by NotDrWho · 2015-10-09 00:50 · Score: 2

nuff said

--
SJW's don't eliminate discrimination. They just expropriate it for themselves.
attack? by Anonymous Coward · 2015-10-09 01:08 · Score: 0

anyone care to outline the anatomy of such an attack?
1. Re:attack? by gstoddart · 2015-10-09 01:37 · Score: 1
  
  anyone care to outline the anatomy of such an attack?
  I won't claim to know the specifics, and I wouldn't tell you if I did ...
  But, like all social engineering, the intent is to trick someone into believing you're someone you're not. To do this you try to give yourself some bona fides which someone will interpret as a level of trust. You then exploit that to weasel your way into gaining access or information.
  Social networks designed to link you to people you don't remember or never knew just provide a mechanism whereby someone goes "oh, he knows Larry, OK, this seems fine". It causes you to let your guard down, and hopefully you play along and they get what they want.
  So, if you want to gather intel on someone, posing as a recruiter means you might just hand it over to them.
  Short version: trust, but verify; and if you can't verify, don't trust.
  They really should teach adults about "stranger danger". It seems like people become adults, and then become naive idiots all over again. (And in fairness, social engineering can be really sophisticated and doesn't require a naive idiot.)
  
  --
  Lost at C:>. Found at C.
2. Re:attack? by Anonymous Coward · 2015-10-09 02:28 · Score: 0
  
  i had a more hollywood version of events in mind. using linkedin to map out government employees that can be used to identify weaknesses that are then used for blackmail.
  i suppose one only need look at the twitter accounts of politicians to see the dumb things they will say in public. they probably tell their whole golf club what they hear in the national security committee briefings.
3. Re:attack? by gstoddart · 2015-10-09 04:16 · Score: 1
  
  i had a more hollywood version of events in mind. using linkedin to map out government employees that can be used to identify weaknesses that are then used for blackmail.
  Honestly, by the time you're talking about a nation state doing espionage ... that level of investment could be plausible.
  Maybe not so much with the blackmail, but if you could then move on to some social engineering or spear phishing that's probably the point. LinkedIn likely gives you a way to identify your targets.
  A bunch of hackers may not reach that level of sophistication. A nation state employing some hackers to achieve a goal has the means to do a LOT more.
  
  --
  Lost at C:>. Found at C.
Allahu! Allahu! by Anonymous Coward · 2015-10-09 01:21 · Score: 0

You are all Muslims. Muslims say "Allahu Akbar". Allahu! Allahu! Allahu Akbar says the Muslim. You Muslims!!!
yes but by Anonymous Coward · 2015-10-09 01:21 · Score: 0

Asking to be linked to by "CEOPETERS BALTUSSEN" the "Chief Executive Officer at Commercial Bank of Dubai" is fairly transparent.
A better strategy by Anonymous Coward · 2015-10-09 01:27 · Score: 0

Just pray to Allah and have him bring down the evil American empire.
Allah Akbar!
Been going on for some time by timholman · 2015-10-09 01:48 · Score: 2

This has been going on for years. My colleagues and I get email inquiries from Iranian students quite frequently, seeking research positions. Their email messages will include embedded mail bugs to track who opens the email. The same students will then try to friend us through Linkedin.
It's a unique pattern of behavior, quite different than what we see with students from other countries. We have speculated that it is being coordinated by some agency within Iran, although we have no real proof of it.
1. Re:Been going on for some time by Anonymous Coward · 2015-10-09 02:55 · Score: 0
  
  Their email messages will include embedded mail bugs to track who opens the email
  Who still uses an email program that downloads (or worse runs) scripts, images or anything else from external URLs automatically without first asking the user if that's alright?
2. Re:Been going on for some time by Anonymous Coward · 2015-10-09 03:57 · Score: 0
  
  No one, but yet mail bugs are still regularly sent as a means of tracking and receipt verification.
Creepy feeling... by Shoten · 2015-10-09 01:56 · Score: 1

The "Steven Highsmith" account, that one I recognize. He reached out to me...jesus...

--

For your security, this post has been encrypted with ROT-13, twice.
1. Re:Creepy feeling... by Anonymous Coward · 2015-10-09 07:05 · Score: 0
  
  My GOD... an Iranian tried to contact you... and IDENTIFY YOUR SOCIAL MEDIA CONTACTS!?
The real story here is... by Anonymous Coward · 2015-10-09 07:48 · Score: 0

LinkedIn still exists?