I have a confession to make. A while back I created a fake profile on LinkedIn and we are probably connected. Curious after receiving several obvious and some not so obvious fake profiles, I did a bit of experimenting creating my own to see how difficult it would be and how many connections could be made.

Creating the Back Story
Creating a believable backstory, complete with education, degree, work history, groups, certifications is the first step. I found that being a female had a higher response rate than male. I started by listing several real companies as previous employers, then followed their employees, many followed me back,some even asking me how I was doing since I left their company.

When creating my profiles I realized that one of the first things some will do to test if a profile is fake is to check the image through a reverse Google image search to see if it matches stock photos, or is tied to another name. However an easy work around is to flip the image, try it, it won’t match. If my targets can’t find the image I used it helped to develop false confidence that the account is real.

Then I started following others they were connected to. I started getting invitations to social events and even a few job offers, over time the profile had its own life, with people inviting me to connect with them.

Trust Me I’m A Recruiter
Listing my position as a technical recruiter made it easy to get people to give information about themselves and their work. The prospect of a new position, or a future position with higher pay provides a good channel to establish a level of trust, as they want something from you, making it easier to request something from them.

I did not request information or directly communicate with anyone, I simply connected. However the amount of information people would give a fake account, even without direct request for it was surprising. I could easily identify security professionals in Fortune 500 companies who were not happy with their jobs. I also received many invitations from many to meet face-to-face to discuss career opportunities and network.

Who Do You Trust?
LinkedIn is a great tool for business, however it can also be abused, something to consider when blindly accepting connections is what information does this open up about you? Could being connected to this person somehow serve as an endorsement to their validity to your other connections?

If used en masse to target a specific company, LinkedIn can easily be a data mining tool to for attackers to recruit insiders who could give up information unknowingly to a competitor, or even fully enlist them to their nefarious cause. It can also be a one stop shop for easy spearphishing.

Careful What You Post

Additionally I would like to warn IT professionals, especially those involved in security about listing skills about specific applications, or mentioning specific deployments you have done for a company. I remember reviewing the LinkedIn profile of a particular security professional, who had taken it upon himself to list every single security IT and security tool he deployed, managed or used in every one of his prior positions. This type of activity puts organizations as tremendous risk as it tips the bad guys into knowing what they will run into in that environment, what vulnerabilities to target and what security tools they will need to circumvent.

It is better to speak in generalities, mention security control families or outline specific use cases and problems solved, without going into the specific tools please. Your past and future employers will thank you.