Convincing LinkedIn ‘Profiles’ Target Saudi Workers for Information Leakage

Attackers have used hundreds of fake profiles on LinkedIn — many very convincing — to target professionals at companies in Saudi Arabia, not only for financial fraud, but to convince employees in specific roles to provide sensitive corporate information.

In a presentation at the Black Hat Middle East and Africa conference last month, researchers said they uncovered nearly a thousand fake profiles created with the aim of reaching out to companies in the Middle East, using well-connected synthetic identities. And for the most part, the campaigns had significant success, says Nauman Khan, telecom threat management lead at Saudi Telecom Company (STC) and one of the researchers who presented at the conference.

“So normally, the profiles would send a contact request to anyone, and it looks like people were not hesitant to accept — they never even thought that it could be a fake profile,” he says. “And once somebody accepts you, and if you have not changed your default LinkedIn settings, your contact list and other information are visible.”

Companies in the Kingdom are not alone. The nearly 900 million users on LinkedIn from more than 150 countries make the platform a goldmine for attackers, containing extensive data on organizations and their employees. Moreover, attackers can easily construct fake profiles that are difficult to distinguish from real people. With generative AI’s capabilities to create realistic synthetic profile images and more effectively translate into multiple languages, the profiles are getting even better.

As essentially a repository of crowdsourced information on workers, LinkedIn is increasingly valuable to cybercriminals and state-sponsored attackers, says Jon Clay, vice president of threat intelligence at cybersecurity firm Trend Micro.

“We all use LinkedIn to show our achievements and make connections, so we all want to have high visibility — but by doing so, we share a lot of information,” he says. “Threat actors can use this against us, and they often do.”

LinkedIn: Popular Among Cyberattackers

For targeted attacks, LinkedIn allows threat actors to gather information and then deliver fraudulent links and malware to credulous employees more effectively. During the coronavirus pandemic, for example, LinkedIn scams targeted out-of-work users with malicious scripts. In 2022, LinkedIn topped the list of brands used in social engineering attacks.

In the case of LinkedIn profiles targeting Saudi professionals, almost all of them appeared to be young women in their 20s with Muslim names, and usually they claimed to work in Southeast Asia, often India, according to the STC investigations. Even with those commonalities, many of them were extremely difficult to discern as part of a threat campaign. In the case of one profile of a “person” claiming to be head of product at a large company, for example, the fake profile was perfect, except that the person indicated that they worked in a tiny town outside Riyadh that has no industry — and the profile image could eventually be traced back to a Ukrainian website.

The researchers encountered a number of types of schemes that used LinkedIn profiles. In many cases, the fraudster behind the profile attempted to leverage their good reputation to sell fake certificates or training to targeted victims. In other cases, the threat actors targeted employees who had access to specific information and attempted to convince them to part with data. Finally, the fake profile was often its own product, and the scammer would attempt to sell access to high-quality LinkedIn accounts, STC’s Khan says.

“Essentially, they are saying, ‘I have [connections to] managers already there, C-level already there, and the profile has good following with everything established, so pay me this much and you can have this profile,'” he says. “This is basically a ‘good-reputation profile on LinkedIn as-a-service.'”

Other attacks include enhancing phishing by using LinkedIn smart links that appear to link to a legitimate website, but actually redirect to an attacker-controlled site, which — according to email security firm Cofense — is the No. 1 way that LinkedIn is being abused.

“These links are connected to LinkedIn’s Sales Navigator services for marketing, and tracking solutions for team and business accounts, [and] are particularly effective at bypassing secure email gateways (SEGs) because LinkedIn is a trusted brand with a trusted domain name,” says Max Gannon, a senior cyber threat intelligence analyst at Cofense.

Companies Need Specific LinkedIn Policies

The spear-phishing campaigns underscore the dangers posed by employees oversharing information on the LinkedIn social network, and serve as a reminder to consider from whom they accept connections.

LinkedIn began combating fake profiles in earnest in late 2021, taking down 11.9 million fake accounts during registration and another 4.4 million that the service identified on its own, according to a Trend Micro report on LinkedIn threats.

But LinkedIn could be doing more, such as giving users more tools to manage their contacts and connections, that could help them improve their security posture, Trend Micro’s Clay says. While LinkedIn has done a lot to harden the platform, especially against data scraping, having exceptions for verified researchers — allowing them to do deep searches, for example — could improve the security of the platform.

Companies should turn on the LinkedIn feature that verifies any user who claims to be an employee of the company. Companies should also create a specific LinkedIn policy, and consider giving employees guidance to not share business email publicly, beware of clicking shortened links, and limit mentions of specific internal company names and technologies.

Finally, employees need to be trained to report fake LinkedIn profiles, not just be able to identify them, says STC’s Khan.

“We found that even if somebody found a fake profile, they normally don’t do anything — they will ignore it, and that’s it,” he says. “We highly recommend reporting it. Employees have to be told that when you come across something suspicious, report it — don’t just be satisfied that you know it’s a fake profile.”