Last August we wrote a post called Display Name Spoofing attacks via LinkedIn. In it, we identified a new variant on Display Name Spoofing phishing attacks- the abuse of LinkedIn to build a social construct of manipulation.
Our contention, dating back to August 2020, was that LinkedIn was being scraped at scale for Display Name Spoofing attack campaigns.
Yesterday’s news proves we were right:
- Details On 700 Million LinkedIn Users For Sale On Notorious Hacking Forum (Forbes)
- 700m LinkedIn records up for sale on underground hacking forum (TechRadar)
- Data from half a billion LinkedIn users has been scraped and put online (Fortune)
This post recaps how we arrived at our conclusion, nearly a year before anyone else caught on.
Display Name Spoofing: Manipulating Authority and Smartphones
As a recap, Display Name Spoofing is a type of phishing attack that appears to come from a person of authority within a company.
When this is coupled with:
- At least 70% of all email is now read from a smartphone.
- By default, email apps on a smartphone only show the Display Name of the sender. If you want to see the actual email address, further action (i.e. friction) is required.
The net effect is that if you see an email from your boss on your phone, you’ll probably open it immediately, not bothering to think about the actual email address it came from.
In essence, Display Name Spoofing attacks tend to work because they manipulate:
- Corporate hierarchy
- How employees check email
- Inherent shortcomings of today’s smartphones
Scraping LinkedIn at Scale
In today’s society, people keep their LinkedIn profiles studiously current. Job title and current employer are especially manicured on LinkedIn.
In fact, it’s what makes LinkedIn such an effective platform for Outbound Sales Development.
With LinkedIn, you know where everyone works and where everyone sits in the org chart.
While not an epiphany, that last sentence is having profound consequences for email security.
ExecProtect Provides the Proof
Just within our 40-person startup, we’ve seen ample proof of LinkedIn being abused for phishing attacks via Display Name Spoofing.
Last year for example, ExecProtect stopped the following phishing attack dead in its tracks:
The above screenshot is an alert email ExecProtect sends to Domain Administrators like me.
At a quick glance, we can see that:
- An email was sent to a Paubox employee, Evan, supposedly from me, the CEO.
- I obviously do not have an email address of [email protected] and ExecProtect instantly quarantined it. Don’t forget though, it’s difficult to realize this on a smartphone.
- The IP address that sent the email, 220.127.116.11, was not on any RBL Blacklists. In other words, the IP was recognized as a legitimate sender.
Here’s the smoking gun: Evan did not even work at Paubox yet!
In reality, he was so fired up to start that he updated his LinkedIn profile six days before his start date.
The only way to have known that Evan had a connection to Paubox at that time was via LinkedIn.
There were other times when ExecProtect would stop dozens of Display Name Spoofing attacks in the span of two minutes. The entire company was targeted all at once, with the hope of at least one hit.
In these instances, it’s hard to find a one-to-one correlation to LinkedIn, as company directories can be purchased from other sources.
The same cannot be said however, when an employee is targeted and they haven’t even started work yet. In our case, there was only one place that information existed- on LinkedIn.
If a company of our size was targeted with such pinpoint precision, yesterday’s news correctly concluded the same is true for every company on LinkedIn.