Cybersecurity researchers at the Dell SecureWorks Counter Threat Unit (“Dell CTU”) uncovered a network of approximately 25 fake LinkedIn profiles that Dell CTU believes were used by an Iran-linked hacker group to establish at least 200 connections with legitimate LinkedIn user accounts.  LinkedIn has removed the fake profiles.  Iranian hackers previously have been accused of using similar tactics in a cyber-espionage campaign via Facebook and LinkedIn to trick high-ranking U.S. officials. 

According to Dell CTU, The LinkedIn profile hack employed a tactic known as “social engineering,” whereby the fake LinkedIn profiles included leader personas complete with fake photos, a full educational history, current and previous job descriptions, and in some instances, vocational qualifications and LinkedIn group memberships. Five of the leader personas purported to work for Teledyne, one for Doosan, another for Northrop Grumman, and another claimed to work for Petrochemical Industries, Co.  These leader personas were connected to less-detailed support personas to create an initial network.  Dell CTU estimates that the level of detail included in these personas indicates that the hackers invested a substantial amount of time and effort.  

The network of fake LinkedIn profiles built credibility by linking with each other and using the skills endorsement function of LinkedIn.  Through this appearance of legitimacy, the 25 fake LinkedIn profiles were able to establish at least 200 connections with legitimate LinkedIn user accounts.  These legitimate LinkedIn users were primarily employees in the Middle East who worked in the telecom and defense sectors.  Dell CTU believes that this threat is ongoing and that it is likely that other fake LinkedIn profiles have not yet been identified.  A link to the full report is available here.

The group behind these fake LinkedIn profiles allegedly is connected to the hacker group that devised resume application websites that appeared to submit resumes to Teledyne, but actually deployed malware to take over the applicant’s computer.

This report is a cautionary tale for how social networking can be a gateway for identifying and targeting key employees for future data hacks.  Companies should consider policing abuse of their brand on social media.  Looking ahead, companies will need to determine how best to monitor their social media presence and whether the rewards of using social media outweigh the potential risks.  

Reporter, Julie A. Stockton, Palo Alto, CA, (650) 422-6818, jstockton@kslaw.com.