Cons access LinkedIn data, employ spear-phishing to swindle users
Police and independent cybersecurity experts stated that data shared by organisations and employees on the professional networking website enables a wide range of cybercrimes -- from financial frauds to Business Email Compromise (BEC) to corporate espionage
Mumbai: Just when LinkedIn had become a trusted go-to platform for professionals to network and talk shop, cybercrime experts have observed that it is misused by cons to fleece unsuspecting users regularly. A recently registered case with Kherwadi police, by a Bandra based businessman, who was duped by scamsters claiming to be from Britannia Pharmaceuticals, UK, is indicative of the global racket.

The complainant, Sachin Bajla, owns Baijnath Minerals Pvt Ltd in Kalanagar. He was contacted by the accused through LinkedIn on October 10. In order to convince him that they were indeed representing the UK based pharma giant, the accused also set up email domains similar to the company. Subsequently, using an elaborate modus operandi, the accused cheated Bajla to the tune of ₹ 1.05 crore.
Police and independent cybersecurity experts stated that data shared by organisations and employees on the professional networking website enables a wide range of cybercrimes -- from financial frauds to Business Email Compromise (BEC) to corporate espionage.
Cyber cops have noted that organisations are most commonly targetted by a modus operandi called spear phishing.
“Spear phishing involves a great deal of intelligence gathering, as the scamsters have to emulate the exact format and language used by an organisation in its official correspondence. Once this is done, only a few words or alphabets are changed and the scamsters enter their own account numbers. This email is sent to those controlling the accounts of the company, from an email ID impersonating the top boss. As soon as the money is received, it is immediately diverted to other accounts within minutes,” said Deputy Commissioner of Police (Cyber) Balsing Rajput, Mumbai Police.
Scores of organisations approach the department every year, after falling prey to spear phishing. The problem, however, is that not many of them are willing to register a complaint, fearing the damage to reputation and the resultant financial losses.
Why LinkedIn?
Harshil Doshi, Country Manager (India and SAARC), Securonix, and others from the security analysis fraternity, have observed cybercriminals routinely scanning professional networking sites such as LinkedIn to gather information on potential targets. “People include their designations as well as job profiles in their LinkedIn bio, which lets criminals know who to impersonate as well as who to target,” said Doshi.
Maheshwaran S, Country Manager - South Asia, Varonis, said that the ‘Groups’ feature on LinkedIn has made things even easier for cybercriminals. “Apart from the readily available information in the bio section, there are also groups on LinkedIn which cybercriminals exploit. These groups are meant for employees of the same organisation or industry, but there is very little restriction on or verification of the people who are allowed in. As a result, cybercriminals infiltrate and access a lot of information that should ideally stay inside the organisation. This helps them plan their crimes,” he said.
In his statement to the Kherwadi police, Bajla has stated that the accused, posing as “Kristy Goodwill from Britanna Pharmaceuticals”, first became a member of a LinkedIn Group that Bajla is a member of, and then approached him via email, citing the reference of the same group.
Shibu Paul, Vice President – International Sales at Array Networks said that phishing via LinkedIn is developing at a dangerously rapid pace.
“While hackers have been impersonating reputed companies for crimes, latest research shows that LinkedIn has been related to 52% of all phishing-related attacks globally – a drastic upswing from the previous quarter when it was in the fifth position and related to only 8% of attacks,” said Paul.
The trend
While earlier the cyber police department came across cases of LinkedIn data used to hack company servers, slip malware through seemingly innocuous emails and extract data to hold a company to ransom, today, it is observing criminals using LinkedIn to contact their victims. “It is a classic example of a phenomenon that starts on a larger scale and to be adopted by smaller players in the industry, with modifications,” a senior officer said.
Rajput added very little investment is required to pull off a multi-crore con. All the frauds require are a LinkedIn premium membership and email account.
“Cybercriminals don’t even need to buy an email domain to spoof the target company’s email. Platforms like Gmail let you get email domains in the name of an organisation for a price, where the email address ends with the company’s name and not the service providers. All that the criminals need to do is register a similar domain, with one or two letters in the spelling changed,” said Rajput.
Firms like Kaspersky and Norton, too, have been tracking the trend. Kaspersky has observed that messages sent directly through LinkedIn make the job even easier for cybercriminals.
“The author may not speak fluent English, but the platform generates the subject of LinkedIn notifications automatically, so the subject can’t contain errors,” Kaspersky pointed out.
Corporate espionage
With time, cyber criminals have evolved, added Maheshwaran. Such is their acquity that they even scan who is looking for a job change. The purpose, he said, is to identify a disgruntled employee who can be exploited for access to the company’s sensitive information. “Once they open a recruiter account, they get access to information about people looking for jobs or a job change. Using their ruse as a recruiter, they wheedle out sensitive information about the target’s existing or last job and the organisation,” Maheshwaran said.
What’s the way out?
Doshi suggests increased vigilance on the part of people with access to a company’s finances. “Recipients of emails asking them to authorise payments must check the email ID carefully, as criminals create similar sounding email domains to impersonate,” he said.
Jennifer Soh, Senior Cyber Investigation Specialist at the Group-IB’s headquarters in Singapore, felt companies must consider implementing technologies that can detect, block and analyse all email-borne attacks. “It is no secret that humans are the weakest link in the companies’ line of defense. That’s why another essential element is regular social-engineering penetration testing drills, based on the latest tactics and techniques of threat actors, where employees learn to recognise social engineering and report phishing attempts properly,” said Soh.
The platform is adding a new ‘About this profile’ feature that will display when it was created and last updated, along with whether the member has verified a phone number and/or work email associated with their account. “We hope that viewing this information will help you make informed decisions, such as when you are deciding whether to accept a connection request or reply to a message,” said Oscar Roderiguez, Vice President, Product Management, LinkedIn in the update.