Emsisoft Fraud Alert: LinkedIn Data Breached by Fake Accounts
This Wednesday, reports emerged revealing that hackers have been scraping LinkedIn.com for profile data since May 2013. As yet, who these hackers are remains a mystery, but LinkedIn has already made plans to sue them for everything they may or may not be worth.
Fake Profiles for Scraping
The hackers behind the LinkedIn data breach pulled things off by way of a very creative although very illegal approach. They simply created thousands of fake profiles, and then programmed the profiles to automatically connect with real LinkedIn members. When two people “connect” on LinkedIn, they essentially share resumes or CVs. Using thousands of fake profiles to connect with thousands of real members therefore gleaned all sorts of personal information for whoever was behind the attack.
A breach like this is dangerous because such information could be the starting point for any number of targeted identity theft scams. More than email addresses, LinkedIn profiles can contain information about everything a professional working person has done for a number of years. This could include where they have lived, what roles they have fulfilled, and, even more powerful in the hands of an identity theft, who they associate with.
Associations like these are dangerous because they enable targeted email scams. Mostly transparent and even downright silly, targeted scams can fool even the most guarded of inbox owners if they are crafted with a bit of thought. With data from a LinkedIn profile, an identity thief could send you an email posing as one of your coworkers, with more than enough information to construct a convincing ruse.
Why LinkedIn is Upset
In addition to putting its users at risk of identity theft, the LinkedIn data breach compromises the social networking site’s integrity. As it stands right now, LinkedIn is the premier networking site for professionals and an invaluable tool for executive headhunters and recruiters. With thousands of fake profiles in the mix, the site is no longer such a valued resource. More than anything, this data breach puts a dent in LinkedIn’s public image — which is disastrous for a company that makes its money by being “social.”
To date, all that is known about the LinkedIn attackers is that they used Amazon Web Services to launch their campaign. LinkedIn has been successful in disabling the fake accounts and has already requested server data from Amazon. Because this attack violates a number of LinkedIn’s usage policies, as well as the California Comprehensive Computer Access and Fraud Act, the Computer Fraud and Abuse Act, and the DMCA, LinkedIn has already taken steps to launch prosecution.
With two of the largest dot coms in the world on their tails, it’s only a matter of time before those behind the attack are brought to justice.
Hacking Identity Theft 2: More Entry Points, More Tools, And More Prevention