Cybercriminals are using fake LinkedIn profiles to map out the networks of business professionals to scrape contact information and later use these to send spear-phishing emails, security solutions firm Symantec said on Monday.
LinkedIn, which has over 400 million users globally, is a prime target for scammers looking to connect with professionals across a variety of industries, including information security and oil and gas, it said on its official blog.
Scammers copy information from real LinkedIn profiles to pose as recruiters and attract new connections, it added.
“Over the last year, we have seen a growing number of incidents involving fake LinkedIn accounts targeting members of the business-oriented social networking service. We worked with LinkedIn to take down some fake accounts that we had come across during our research,” it said.
Symantec said most of these fake accounts followed a specific pattern. They bill themselves as recruiters for fake firms or are supposedly self employed and primarily use photos of women pulled from stock image sites or of real professionals.
“We were able to confirm this by using reverse image search tools like TinEye and Google’s Search by Image,” it said.
The scammers copy text from profiles of real professionals and keyword-stuff their profile for visibility in search results, the blog added.
Symantec said the primary goal of these fake LinkedIn accounts is to map out the networks of business professionals.
“Using these fake LinkedIn accounts, scammers are able to establish a sense of credibility among professionals in order to initiate further connections,” it said.
Scammers scrape information
In addition to mapping connections, scammers can also scrape contact information from their connections, including personal and professional email addresses as well as phone numbers.
This information could be used to send spear-phishing emails, it added.
Symantec said LinkedIn users should be very skeptical of who they add to their network.
“If you’ve never met the person before, don’t just add them. We weren’t surprised to learn that these fake LinkedIn accounts received endorsements from real users,” it said.
Also, users can do a reverse-image search (e.g. tineye.com or Google Image search) or copy and paste profile information into a search engine to identify whether the accounts are real or fake, it said.
Reaction
When contacted, LinkedIn Head of Communications India and Hong Kong Deepa Sapatnekar said the company has a number of measures in place to protect its members, including violations to ‘User Agreement’ such as fake profiles.
“We investigate violations and take immediate actions where necessary. We also encourage members to utilise our Help Center to report violations,” she added.
