Linkedin social engineering test snares 68% of users

According to Mickey Boodaei, Trusteer's CEO, the test was held against the backdrop of several experts opining that social engineering attacks can be defeated using proper user education.

"As a security best practice, users are told that if something looks too good to be true, uncommon, unlikely, or calls for immediate action, then it's most likely an attack", he says in his latest security blog.

For example, says Boodaei, phishing emails that encourage a user to click on a link in order to unblock their bank account meet most of these criteria - it's unlikely for a bank to contact customers this way, and it calls for immediate action.

"Similarly an email from the tax authorities about a pending refund is probably too good to be true and unlikely to happen over email", he says.

"These types of attacks can be explained to users and most likely avoided. Of course, in large populations some users will still fall for these attacks regardless of how much effort is put into education", he adds.

According to Boodaei, in a test using LinkedIn, his research team picked 100 users that they knew and assessed as being good with IT security, advising that one of their connections was working with a firm that competes directly with the users' own company.

"We included a big button "View [friend's name] new Title" – just like LinkedIn does in these alerts. We also included the friend's photo, just like LinkedIn does", he said.

"Clicking on the button redirected the victim to a different website - not LinkedIn. The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim's computer", he explained.

Within 24 hours, 41% of subjects had clicked through, rising to 68% within seven days.

Trusteer then approached the remaining 32 subjects and was told that half of them did not see the email, whilst seven admitted they did not read their LinkedIn updates, whilst the remaining nine said that the update was not interesting enough for them to click the link.

"This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer", he said.

And whilst security education is useful, Boodaei noted that on this occasion, it did not prevent an attack.

"As we learned, cyber criminals have access to the information needed to create fraudulent emails that can fly under the suspicion radar of even the most security savvy users", he said.

As a result of its findings, Trusteer's CEO says that companies need to re-evaluate their approach to targeted attacks since they represent – as witnessed in recent breaches – the most dangerous type of threat to their business.

"One of the options for protecting against Zero-day attacks used in social engineering schemes is of course Trusteer Rapport, which prevents redirection to malicious websites and blocks sophisticated malware from stealing sensitive corporate information entered and presented in web browser sessions", he said.

What’s Hot on Infosecurity Magazine?