Flower Delivery
“Flower”. “Delivery”.
LinkedIn Invites are Great for Spreading Malware
Fake LinkedIn invitations are one of the most effective methods of getting a human to click a malicious link.
This type of attack, a phishing attack (or a more targeted, spear phishing attack) works because who doesn’t want to increase their LinkedIn number up to that magical 500+. Plus, LinkedIn is maybe the most reputable of all the social media networks, so that reputation is exploited.
Additionally, LinkedIn is a business-oriented social media site, therefore, most use occurs on a computer attached to a corporate network. And that’s more valuable to a thief than a lone, personal computer.
The Attack
You receive an email, “Let’s connect!”
It looks like a real, and safe, LinkedIn invitation.
Click on “View Profile” > goes to a fake site > where a virus / malware / etc is waiting > that’s then installed onto your computer > now the attacker has a way into your machine > and potentially the corporate network it’s attached to.
The Defence
I rely on 2 things – my gut, and LinkedIn’s security (note this method is not 100% fail-safe.)
1 – hmm, I have never heard of this human, and something about the name / company makes my gut say wait….
2 – I open a new browser, go to LinkedIn > Invitations > is the same name on my list there?
If yes: click around to verify identity, check for connections in common, and lots of Googling.
If no: delete the email
***
Don’t be shy to ask for more clarification, proof of identity, reply with “do I know you, and how?”
And always listen to your gut, the best defence against social engineering
Tiiiiis the Season for Natural Disguises
Fa-la-la-la-laaa lala get some.
It’s a Christmas wreath, obscuring the licence plate.
Jokes aside, scammers love this time of year. People’s hearts are more giving and trusting than usual, because tis the season, and that makes is easier to prey on them.
Stay wary during the holidays… careful what you click, because phishing emails and social media scams; people canvasing for “charity” on the street, and on the phone; you get what I mean.
The ‘USB to Ego’ Attack
A brief backstory first, to set up the attack.
I arrived at the end of Honda’s FCEV launch, extra unfortunately, because there was water involved, a simulated rainstorm, rare. Like the guy mopping up said, “ya you missed a good one”.
It was in celebration of their latest invention – hydrogen fuel cell technology. Don’t know much about it, you know how I feel about Hybrids, points to Honda for being so bold in their design (coming 2015)…
….but this is a security post, so!
I was taking the below photo, the crowd was starting to thin, and a well-dressed gentleman appeared to my left.
“Hi Keri, here’s the USB key with photos and the presentation, have a good show”. We smiled at one another, he left, I went back to photo-ing.
It wasn’t until later that it hit me, it was so perfect a moment, maybe too perfect.
The Attack:
At a busy event, it’s normal to see a face once and never again, if you notice many faces at all, because cars.
Then an “executive” appears all full of flattery… “hello, I am noticing you, you are a name, so it’s important that you get this information, because you and your opinion matter”… take this USB key, put it into you computer… pretty good right?!
Appear, praise the ego > give a USB key > melt away >
wait a few hours >access target’s computer
NOTE: I’m not at all saying this is what occurred, just that it’s in the realm of possibility (Honda and I know one-another a long time (and if this is the case, USB guy: please LinkedIn me.))
The Defence:
Never use a USB key you find laying around in public, or from a source you don’t totally trust.
