Security experts are warning LinkedIn users of a new spate of fake profiles created on the network in order to scrape personal information with a view to making spear phishing emails more convincing.
Symantec senior security response manager, Satnam Narang, explained in a blog post that some of the industries targeted include oil and gas, logistics and information security.
The scammers usually pretend to be recruiters for fake firms or are self employed, and use photos either stolen from stock image sites or real people.
They also copy and paste information from real professionals on the site to fill in their personal summary and experience, and cram the profile with keywords such as Reservoir Engineer," "Exploration Manager,” and "Cargo Securement Training” in order to improve its chances of being seen in search results.
“Under the guise of a recruiter, these fake LinkedIn accounts have an easy entry point into the networks of real business professionals,” explained Narang.
“Real recruiters already use the service as a way to find potential candidates. LinkedIn users expect to be contacted by recruiters, so this ruse works out in the scammers’ favor.”
Symantec warned LinkedIn users to remain skeptical of who they add to their network—urging them not to add anyone they haven’t met before.
“The primary goal of these fake LinkedIn accounts is to map out the networks of business professionals. Using these fake LinkedIn accounts, scammers are able to establish a sense of credibility among professionals in order to initiate further connections,” Narang claimed.
“In addition to mapping connections, scammers can also scrape contact information from their connections, including personal and professional email addresses, as well as phone numbers. This information could be used to send spear-phishing emails.”
It’s clear that these fake profiles are working, as some have received endorsements from real people, Narang explained.
To spot a fake, Symantec claimed users can do a reverse image search on their profile pic, via tools like TinEye and Google’s Search by Image. Or they can try to copy and paste profile information to see if it is associated with another profile.