New study shows targeted attacks disguised as LinkedIn invitations have a twice as high click-through rate
New research published this week reveals that one of the most successful methods of hitting a company with a targeted attack is to disguise it as a simple LinkedIn email. This comes as no surprise really, as the network boasts a large number of business users (and we’ve tracked LinkedIn spam targeting business users dating back to 2011 – How a LinkedIn notification could empty your bank account).
It also comes as no surprise that the study calls out one of the biggest problems with LinkedIn is the growing number of fake profiles. Our Barracuda Labs team is no stranger to this “fake profiles on social networks” phenomenon, having published numerous studies on the topic over the years:
- Twitter Abuse: Trends and Stats
- Twitter Underground Economy
- Fakebook: Fake Profiles vs. Real Accounts
Most recently, and most relevant to LinkedIn, Dr. Jason Ding, research scientist with Barracuda Labs, presented at Black Hat 2013 in Las Vegas. During this talk, he introduced the idea of “Social Klepto” which explores the growing number of fake accounts on LinkedIn and how those accounts can be used for corporate espionage. He also introduced a free tool developed by our Barracuda Labs team that LinkedIn users can use to help control their privacy settings. More on that in just a bit.
”Based on an earlier survey we conducted, Social Networking Security & Privacy (pdf), LinkedIn is the least blocked social network – at 20% – compared to other social sites such as Facebook and Twitter, and LinkedIn has the least amount of users who felt unsafe – at 14% – on the site.”
He went on to say,
“These numbers tell us that people tend to trust information received from LinkedIn more than other social media platforms. With that in mind, it is not surprising that LinkedIn invitations have higher click-through rates compared to Facebook friend requests or Google+ adding circle invitations.”
As with most free services, LinkedIn itself may utilize users’ profile information for research or marketing purposes – read: ads (a la Gmail and Facebook). With that, there are several default settings on users’ privacy controls that have been opted for users to receive LinkedIn marketing emails. Most users never even look at these settings. However, not controlling these settings can set you up for receiving unwanted spam.
So, back to our free tool that can help with that – Our Barracuda Labs team developed a Chrome extension – Barracuda Profile Protector for LinkedIn – that is available for free of charge in the Google Chrome Webstore. Any Chrome user can go to this link and install.
It’s a simple (and did I mention, free?!) way to help protect yourself on LinkedIn. When the user opens the LinkedIn web page in Chrome, it will auto-detect the users’ LinkedIn privacy settings, and auto-set the safest privacy settings for users, as well as opt-out of LinkedIn marketing emails. Check it out and let us know what you think.
In addition to installing our Barracuda Profile Protector for LinkedIn, you can be on the lookout for any suspicious “LinkedIn invitation to connect” emails. Given the nature of professional social networking, and specifically the trust we have built around a brand such as LinkedIn, this attack method is being used more and more recently. So, as always – steer clear of clicking on any links included in email messages.
If you receive an email claiming to come from LinkedIn – even if you know the person supposedly sending the invitation, it is best to visit the LinkedIn site directly to confirm these requests rather than clicking on that link.