Last year we released ExecProtect, our patented solution for Display Name Spoofing attacks. Packaged as part of Paubox Email Suite Plus, ExecProtect provides enterprise-wide protection from bad actors seeking to impersonate C-Suite executives. A number of our customers have seen impressive results, including Henderson Behavioral Health, Nizhoni Health, Five Acres, and Saluda Nursing & Rehab Center. Now in the past two months, we've seen a new variant on Display Name Spoofing phishing attacks; the (ab)use of LinkedIn to build a social construct of manipulation. This post will explain how the attack works and how it's quickly evolving.
Display Name Spoofing: Manipulating Authority and SmartphonesAs we've covered before, Display Name Spoofing is a type of phishing attack that appears to come from a person of authority within a company. When this is coupled with:
- At least 70% of all email is now read from a smartphone.
- By default, email apps on a smartphone only show the Display Name of the sender. If you want to see the actual email address, further action (i.e. friction) is required.
- Corporate hierarchy
- How employees check email
- Inherent shortcomings of today's smartphones
Scraping LinkedIn at Scale
In today's society, people keep their LinkedIn profiles studiously current. Job title and current employer are especially manicured on LinkedIn. In fact, it's what makes LinkedIn such an effective platform for Outbound Sales Development. With LinkedIn, you know where everyone works and where everyone sits in the org chart. While not an epiphany, that last sentence is having profound consequences for email security. In a nutshell, our contention is that LinkedIn is being scraped at scale for Display Name Spoofing attack campaigns.
ExecProtect Provides the ProofJust within our 25-person startup, we've seen ample proof of LinkedIn being abused for phishing attacks via Display Name Spoofing. For example, on May 20th, ExecProtect stopped the following phishing attack dead in its tracks:
The above screenshot is an alert email ExecProtect sends to Domain Administrators like me. At a quick glance, we can see that:
- An email was sent to a Paubox employee, Evan, supposedly from me, the CEO.
- I obviously do not have an email address of email@example.com and ExecProtect instantly quarantined it. Don't forget though, it's difficult to realize this on a smartphone.
- The IP address that sent the email, 188.8.131.52, was not on any RBL Blacklists. In other words, the IP was recognized as a legitimate sender.
Here's the smoking gun: Evan did not even work at Paubox yet! In reality, he was so fired up to start that he updated his LinkedIn profile six days before his start date. The only way to have known that Evan had a connection to Paubox at that time was via LinkedIn. There were other times when ExecProtect would stop dozens of Display Name Spoofing attacks in the span of two minutes. The entire company was targeted all at once, with the hope of at least one hit. Sound familiar? In these instances, it's hard to find a one-to-one correlation to LinkedIn, as company directories can be purchased from other sources. The same cannot be said however, when an employee is targeted and they haven't even started work yet. In our case, there was only one place that information existed- on LinkedIn. If a company of our size was targeted with such pinpoint precision, I conclude the same is true for every company on LinkedIn.
The Threat Landscape evolves with help from LinkedInThis week we saw a new variant to these attacks. Here's a two-day old screenshot of an email that appeared in a personal Gmail inbox of one of our staff:
A cursory glance reveals:
- An email was sent to a Paubox employee supposedly from me, the CEO. This time it was sent to a personal email address, not work email.
- Paubox ExecProtect is compatible with business email, not Gmail. So in this case, the attack fell outside its scope.
- I obviously do not have an email address of firstname.lastname@example.org. In this case, Gmail flagged it as suspicious but still allowed the end user to receive it. We disagree with this approach and instead believe all Display Name Spoofing attacks should be instantly quarantined.
Here's how we found the link (pun intended) to LinkedIn. As any LinkedIn user knows, an email address is required to login to the service. Most of the time, people supply a personal email address and not their work email. In the case of the above screenshot, the Display Name Spoofing attack was sent to the same email address our employee uses to login to LinkedIn. As further evidence, several more of our staff got phishing emails sent to the same address they use for LinkedIn. In every single case, this latest phishing campaign targeted the email address they use to login to LinkedIn. Being that a majority of U.S. companies and their employees have robust profiles on LinkedIn, I find this to be a significant security threat.