How to Spot a Fake LinkedIn Profile in 60 Seconds?

LinkedIn is a terrific platform to cultivate business connections. It is also rife with fraud and deceit. Fraudsters use as a social engineering tool which allows them to connect to professionals, trying to lure them into disclosing their real contact details (work email is the best) and then use this email address to send spam, or worse, deliver malware.
Always check the profile before accepting an invitation, and do so via the LinkedIn message mechanism and not viaemail (fake invitation emails can cause much more harm than fake profiles – see our previous post).

So we have established that it is imperative to be able to identify a fake profile when someone invites you to connect on LinkedIn. But how would you do that? Follow our proprietary (just made up) CID protocol! CID stands for – Connections, Image and Details. By following it, you will be able to spot most fakes in 60 seconds or less. For more elaborate fraud attempts, it will be much longer or maybe even impossible for the non- professional to identify. We will discuss these later.

Connections – while you can fabricate any “fact” on your profile, connections cannot be faked; they have to be “real” LinkedIn users who have agreed to connect with you. So unless the fraudster is willing to create 100 other fake profiles, and connect these with the fake persona he is trying to solidify (something that takes a lot of time and effort to do, and something I hope the LinkedIn algorithm will pick up), the only way for him to have 100 connections is to connect to 100 LinkedIn users. So if you see someone with a puny number of connections, you can start to be more suspicious. So, connections number check – 5 seconds. Moving on.

low connections
Very few connections

Image – by now most people creating a LinkedIn profile realize that it is in their best interest to include a real image of themselves, and usually a professionally looking one (either taken by a professional or in professional attire). So no image or an obscure one is kind of suspicious. Also, any too good-looking images should ring an alarm bell. Since it is almost certain that the fraudster will not use his/hers own image (by that they will make the profile real to a certain extent), they will most likely search for a nice photo to post online. How can you tell if the image they have used is taken from someplace else? There are dedicated websites for reverse image searching, but since we are under serious time constraints here, why not simply right-click the image and ask Google to check the source? Very quickly it will find a compatible image and you can match the profile image to an existing stock image. Another 25 seconds gone. Say these two tests were insufficient and you are still not sure? Check the Details.

image search

Starting Google image search

image search results
Image search results

Details – people know that the more detailed their profile is, the better. Profiles lacking education or occupation details are very unreliable, along with these are any severe discrepancies: How could this guy study at Yale and serve overseas at the same time? lack of skills, recommendations and endorsements are not in favor of any real profile. Taking another 30 seconds of your precious time, you should by now be able to spot a fake profile.
Sure, someone just starting on LinkedIn might have fit our CID protocol while actually just launching his LinkedIn profile, and therefore has few connections. If you know this guy, go ahead and connect. If you do not, it is best to wait until the profile seems more robust.
It is very important to note that accepting the invitation to connect by itself (given it was delivered via a LinkedIn message mechanism or clicked on the user profile) does not create any damage, but it establishes a link between you and a fraudster, which can later be utilized as an attack vector.

Oh, and if you have 30 more seconds, why not do everyone a favor and report the fraudster? LinkedIn allows you to report suspicious profiles for review.

Report profile
Report profile

Simply click the “Block or Report” option, fill the short form and there you go.

Report the profile for review by LinkedIn
Report the profile for review by LinkedIn

P.S.

the profile displayed in this article is an actual fake profile who tried to connect to one of our analysts. Busted!

Phishers Hide their Hooks in Short URLs

We have recently encountered a more elaborate phishing scheme, one which includes cleverly hidden links.

Some days ago we received an email titled “American Express has an important update for you”. Funny, I don’t recall having an AMEX account… and the email from which the message was sent from was all to suspicious and not connected to AMEX: [communication.4abr7w64haprabracrafray552dreste[at]azurewebsites.net].

Phishing_Email

 

 

Still, I kept reading the message which was all about the new anti-SPAM law:

Effective July 20, 2014, United State’s new anti-spam law comes into effect and American Express wants to ensure that your representative will be able to continue sending you emails and other electronic messages without any interruptions. In addition to messages from your representative, we may also send you other electronic messages, including but not limited to newsletters and surveys as well as information, offers, and promotions regarding our products and services or those of others that we believe you might be interested in (“Electronic Messages”).

The next paragraph contained a request to click an “I Agree” link to express consent to receiving Electronic Messages from AMEX.

The hyperlink points to bit.ly address. Here’s the catch.

We all know that by hovering above a suspicious link we can usually see where it points to, and this is usually different than the link itself (the link could say “americanexpress.com” but hovering above it will show the real address “russianspammers.ru”).

So in this case we cannot simply identify the destination of the link. What can we do?

Simple. Just paste the link address in getlinkinfo.com (or similar service), and voila, you can see the original link (and in this case, with a warning attached).

GelLinkInfo

 

 

 

 

 

So other than the cynical use of anti-SPAM email to actually promote SPAM, the sender cleverly hides the real address inside a URL shortening service, making it more difficult to detect for the unsuspecting eye.

To the Rescue? Muslim Hacktivists Prepare Cyber Retaliation against Operation “Protective Edge”

Following the escalation between Israel and the Hamas regime in Gaza, Muslim hacktivists have announced the launch of several cyber campaigns against Israeli targets.

Unlike the real Middle-East, where Muslims from different factions fight each other, when it comes to assaulting Israel they are happy to join forces. While several groups have launched campaigns to show their solidarity with the Palestinians, the most prominent are AnonGhost with #OpSaveGaza and Anonymous Arabe that launched #Intifada_3, alongside Moroccan Tigers Team.

#OpSaveGaza is scheduled to peak on July 11, but attacks have already commenced against government, financial and Telcos, and is combining hackers from Malaysia in the East to Tunisia in the West.

#OpSaveGaza
#OpSaveGaza

#intifada_3 is lead by Anonymous Arabe and Moroccan Tigers Team, and is promising to launch daily attacks against an assortment of sites with defacement and DDoS attacks.

#intifiada_3
#intifiada_3

We expect the attack attempts to intensify in line with the progress of the armed conflict.

Gartner Identifies Machine-Readable Threat Intelligence as One of the Top 10 Technologies for Information Security in 2014

Last week Gartner, a leading information technology research and advisory company, highlighted the top ten technologies for information security and their implications for security organizations in 2014. Analysts presented their findings during the Gartner Security & Risk Management Summit, held here through June 26.

http://www.gartner.com/newsroom/id/2778417

The top ten technologies for information security are:

  1. Cloud Access Security Brokers
  2. Adaptive Access Control
  3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation
  4. Endpoint Detection and Response Solutions
  5. Big Data Security Analytics at the Heart of Next-generation Security Platforms
  6. Machine-readable Threat Intelligence, Including Reputation Services
  7. Containment and Isolation as a Foundational Security Strategy
  8. Software-defined Security
  9. Interactive Application Security Testing
  10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

We at SenseCy are great believers in article 6.

We have been providing contextual intelligence for the past several years (and will continue to do so), but felt that it was time to take this to the next level by providing structured feeds that can link directly into SIEM and other security infrastructure and automate to a greater degree the threat intelligence implementation process. Although we believe that M2M will take a greater role in cyber security, the role of the analyst will not be diminished, as there will be a greater need to analyze and filter the results prior to us releasing the feed to our clients (to maintain a very low false-positive alert rate). We also aim to engage the malware supply chain at an earlier phase than most, effectively obtaining and analyzing malware before widespread distribution, thus allowing our clients to prepare their security infrastructure by adding concrete identification parameters prior to infection.

Recycled Fuel? OpPetrol Campaign Rerun This June

Hacktivist collective Anonymous announced a cyber campaign called #OpPetrol, planned to be executed on June 20th, 2014. This is a re-run of a similar campaign with an identical name which was launched at the same exact date last year, aimed at the international oil and gas industry at various geographies. The most prominent group seems to be AnonGhost that recently defaced hundreds of websites and leaked a large amount of credit cards details.

Image

The campaign is likely to include a mix of DDoS, defacement and data dumps. The countries that are targeted are:

  • US
  • Canada
  • England
  • Israel
  • China
  • Italy
  • France
  • Russia
  • Germany

In addition, specific Oil and Gas companies in various locations, from the Gulf to Norway are on the target list. Last year’s campaign did not cause any substantial damage and we assume this re-run will achieve similar results.

SenseCy is Hiring! Come Join Our Growing Team of Cyber and Technical Security Analysts

We are looking for two analysts to join our growing Cyber Intelligence Team: Native English Speaker (JB-309) and Technical Security Analyst (JB-311).

Cyber Intelligence Analyst:

1. Collect Open-Source Intelligence (OSINT), mainly on cyber security

2. Analyze technical intelligence and produce reports in English

3. Good understanding of cyber security

4. Ability to analyze technical data and extract crucial details

5. Ability to work independently and lead complex projects

6. Experience in Web Intelligence (WEBINT) methodologies – advantage

7. Knowledge of foreign languages – advantage

8. Knowledge of cyber security – advantage

Technical Security Analyst:

1. Concrete technological background

2. Preferably with cyber intelligence units/technical experience

3.Concrete knowledge of basic concepts within the following spheres:

  • Networks
  • Operating systems
  • DB

Please send your CV to careers [at] sensecy.com (and indicate the job number).

SenseCy Update

Hi all, it has been a busy month for us here at SenseCy and it’s time to share a quick update of what the team has been up to.

Image

We have participated in Infosec Europe conference, held in London (read all about it here), and in the GOVSEC conference in Washington D.C. where we’ve met with industry leading vendors and potential partners. Following these we ventured to Barcelona to participate in the Check Point Experience (CPX) conference, where it was announced that we, along with six other prestigious vendors, will be taking part in the Check Point’s ThreatCloud Intellistore, which will allow us to offer our intelligence feeds to Check Point’s massive clientele.

you can find the press release and related information in the following link: http://www.checkpoint.com/press/2014/check-point-pioneers-revolutionary-cyber-intelligence.html

Later this week Mr. Assaf Keren, our CTO, will deliver a speech about Cyber Intelligence at the Cybercrime Security Forum 14, held in Hilton Cyprus, Nicosia, followed by a talk by Mr. Gilad Zahavi,Director of Cyber intelligence at ISS World Europe, Prague, where he will present SenseCy methodology for tracking hackers using Virtual HUMINT methodology on June 4, 2014. 

Last but not least we have some very exciting personnel changes – this month we have welcomed Dimitry, our Director of Technical Intelligence, and Nir, an analyst who will be handling the Chinese arena. Ms. Sheila Dahan will be taking the role of Customer Relations Manager and will assist the sales and marketing various activities. Stay tuned for more updates.

Meet SenseCy at GovSec/Trexpo (May 13 – May 14, Walter E. Washington Convention Center, Washington, DC)

SenseCy will be present at GovSec/Trexpo (May 13 – May 14, Walter E. Washington Convention Center,  Washington, DC) at the Israeli Pavilion (#2223). Come by and learn about our Cyber Intelligence solutions.

Image

GovSec is the nation’s premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our critical infrastructures, key assets, communities and the nation. GovSec features TREXPO,  the definitive law enforcement conference for tactical training, equipment, technology, and services for law enforcement which offers products that empower law enforcement to fulfill their role as the first line of defense against threats to their communities and agencies.

for registration see: http://govsecinfo.com/events/govsec-2014/home.aspx

Infosec 2014 – London Calling

London calling to the faraway towns
Now war is declared and battle come down
London calling to the underworld
Come out of the cupboard, you boys and girls

London calling, now don’t look to us
Phony Beatlemania has bitten the dust
London calling, see we ain’t got no swing
‘Cept for the reign of that truncheon thing

The ice age is coming, the sun’s zooming in
Meltdown expected, the wheat is growing thin
Engines stop running, but I have no fear
‘Cause London is drowning, and I live by the river

(London calling – The Clash)

London was calling European Infosec professionals last week, and they came in droves. Infosec 2014 proved a very successful event, at least in my eyes. A nice mix of new and established exhibitors, a great program and outstanding attendance contributed to what is arguably Europe’s most prominent information security event. Here are my takes from the event:

A Very British Event

This event was very British in spirit, and that was a good thing! Other than showing the Americans that they are not the only ones doing cyber security (albeit all the large U.S. vendors were represented), there was a more relaxed, courteous vibe than at U.S. events such as the RSA, and it seemed that everyone took it less seriously, with a good dose of British humor (perhaps the smiling faces were due to the fact that come four o’clock many exhibitors offered free beer). Registration and entry to the event was smooth and swift, and the exhibition hall, though large, was nothing like the two huge halls that hosted the hundreds of vendors at RSA, making orientation and navigation easy. The weather throughout most of the week was untypically warm and sunny, but the last day reminded us that we were in London with drizzling rain, bleak skies and cold – just how they like it there.

20140429_124032

Educational Agenda

I was very impressed with the educational agenda of the event. In addition to being complementary (for both the exhibition and the conference) the organizers put together a very comprehensive and impressive program that catered to professionals and ordinary people alike. Two notable keynotes were “What’s New in Cybercrime?”- a panel hosted by Graham Cluley, and, and “Actionable Intelligence: Building a Holistic Security Threat Intelligence Capability,” hosted by Brian Honan.

The vendors seemed to play along with this theme and instead of hosting very sales-oriented sessions at their booths, they appeared to offer more educational content. I attended a talk at the Sophos booth by Chester Wisniewski that was both entertaining and educational (he uses his wife’s credit card to demonstrate how cyber crooks can steal credit card details using uncomplicated means).

Bloggers Meetup

I had the privilege of attending the European Bloggers meetup and awards ceremony, held at a pub not far from the conference venue. In addition to the great English pub experience (with complementary drinks), it was a chance to meet and talk with some of the industry’s top media stars. Unlike the Bloggers awards at RSA, Brian Krebs (not sure what the qualification criteria was as this was designated a European bloggers award) did not take all the awards, but he did win the Most Educational Blog . Read all about the winners at: http://blogs.infosec.co.uk/european-blogger-awards-2014-winners/

New Exhibitors

The event organizers allocated substantial space for new exhibitors, and allowed many vendors to showcase their products for the first time in the U.K. This was a nice contrast to the established players, who erected huge booths at the central area of the hall and offered lots of freebies, iPad raffles and candy. For me, it showed that the industry is both hungry for innovation and many entrepreneurs are stepping up with new solutions and services that are likely to be snatched up by the larger vendors very soon.

Industry not Stepping Up to the Challenge

The event was marred by one very unfortunate event – a massive Tube strike that took place on two of the three days of the event. This meant that instead of a leisurely ride to the station adjacent to the event site, visitors had to fight their way through Overground trains, buses and taxies in peak London traffic. Not a pleasant experience and I suspect that had better transportation been available, there would have been many more local, non-industry visitors. On a personal note, I find it kind of disappointing that none of the participating vendors – some of whom invested quite heavily in fancy booths (and booth babes) offered a remedy to this. I would love to have ridden the “Vendor-X” sponsored bus back to the city. It would have been a great opportunity to beat the traffic and mingle with like-minded professionals. Sadly no-one seemed to stand up to the challenge, which is symbolic to our industry. When the rain comes down (as it does in London) almost everyone ducks for cover, and very few stand up and try to fight it (you would have imagined that after the Target breach security vendors would offer complimentary security checkups to firms and individuals, to show that the industry is capable of providing decent security to its customers.) Sadly no one did.

Overall – a terrific event. I will definitely mark my calendar for next year’s event.