Prying Online Eyes Target LinkedIn

Posted on Dec 5 2013 - 11:08am by Editorial Staff

LinkedIn

Beware: The lure of connecting through LinkedIn may get you caught in a phishing scam.

Phishing is a concern for anyone with a personal computer and an email account, and its subversive behavior is troubling for those not prepared to find it. The social media platform for the working world, LinkedIn, has fallen into controversy over potential phishing techniques.

PhishTank, a company that has a stake in removing phishing content from the web, follows phishing activity through submitted phishing suspicions, and their database has cleared over 2 million entries. Around 11,633 have been verified since the company began in October 2006. The concern is over phishing on the rise, and the charts indicate that submissions peak and drop at a steadily increasing rate.

Email Phishing: The Number One Enemy

Phishing is something delivered digitally by another that contains potential malware, spyware or a virus. It is an attempt to retrieve passwords, credit card information and money, indirectly or directly. They are sent in an effort to obtain personal information and subsequently commit identity fraud or general hacking.

The most popular type of phishing is through email. Microsoft details an example of a phishing email. They generally include the following attributes:

  • a link to an external source
  • a popular company tag at the end (such as Facebook, Google or Yahoo)
  • a threat such as an account removal or official reporting
  • graphic image attachments with an external link embedded in them
  • poor grammar

Yahoo spam accounts generally filter many of the more obvious phishing attempts. Yahoo suggests analyzing the web link in detail, confirming if it is properly structured or if the website omits the letter L in favor of the number 1 to trick viewers. This is why Microsoft suggests more decisive methods, such as rolling your mouse over a web link and seeing if it matches the website mentioned in the email.

The 2012 Leak of LinkedIn Data

Part of the phishing concerns with LinkedIn stem from a massive password and username leak that occurred June 2012. Approximately 6,458,020 passwords were leaked in an algorithm, and the Russian hacker responsible for the data leak confirmed he had usernames attached to the passwords. The more glaring issues is against LinkedIn directly. The passwords were stored as unsalted SHA-1 hashes. If they were salted, they would have been more protective. Salted means combining passwords with another encryption, essentially doubling their security protection.

LinkedIn Launches the ‘Intro’ App

The company purchased the email plug-in, Rapportive, in 2012. They changed its name to Linked Intro. The app attaches users LinkedIn profile information to a respective email address. Any email that passes through LinkedIn’s database is to be scraped for information. The idea is to monitor content to minimize phishing exposure, but many believe this makes LinkedIn an incredibly easy target for potential issues.

LinkedIn responded in an official blog post. They stated that they greatly hardened the external facing servers and reduced exposure to any third-party monitoring service. They also mention isolating the Intro app in a separate network segment and building tighter security around the perimeter. Their communications use SSL/TLS at every point in the flow of emails.

The LinkedIn privacy policy states that every piece of data is encrypted uniquely to the device and their user. With LinkedIn’s digital defenses set, online hackers and phishers have the next move.

Photo Credit: Flickr/Sheila Scarborough

About the Author
Editorial Staff

Editorial Staff at I2Mag is a team of subject experts led by Karan Chopra.