Suspected Iranian Hackers Leverage Fake LinkedIn Profiles to Target Victims


Dell SecureWorks Counter Threat Unit (CTU) researchers recently came across a network of 25 fake LinkedIn profiles that appear to be tied to a suspected Iranian hacker group called Threat Group-2889 (TG-2889).

"CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering," the researchers wrote in a post detailing the findings. "Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889."

The researchers categorized the fake accounts into two categories: fully developed profiles and supporting profiles. The eight fully developed accounts include a full educational history, current and previous job descriptions, and in some cases, vocational qualifications and LinkedIn group membership. Five of the fake profiles claim to work for Teledyne, one for Doosan, one for Northrop Grumman, and one for Petrochemical Industries Co.

Six of these accounts have more than 500 LinkedIn connections.

Among the indicators that the profiles are fraudulent is the fact that one profile's summary section is identical to a legitimate LinkedIn profile, and the employment history matches a sample resume from a recruitment website.

The 17 supporting accounts are less fully developed, with a single one-line job description and five LinkedIn connections each. The researchers assume the supporting accounts exist to endorse the skills of the fully developed accounts, and to provide those accounts with an established network of connections.

While the researchers were studying the accounts, two of the fully developed accounts' profiles were altered with new names, photos and job titles. "Changing personas associated with existing profiles was a clever exploitation of LinkedIn functionality because the new identities inherit the network and endorsements from the previous identity," the researchers wrote. "These attributes immediately make the new personas appear established and credible, and the transition may prevent the original personas from being overexposed."

TG-2889 presumably leverages the fake accounts to identify and reach out to potential targets. "Five of the [fully developed] personas claim to be recruitment consultants, which would provide a pretext for contacting targets," the researchers wrote. "TG-2889 likely uses spearphishing or malicious websites to compromise victims, and established trust relationships significantly increase the likelihood of these tactics being successful."

Cigital senior security consultant Thomas Richards told eSecurity Planet by email that social media sites like LinkedIn can provide potential adversaries with a significant amount of both organizational and personal information. "Your own data is not the only information at risk; once you accept an invitation from an individual they may be able to view your contacts," he said. "This can lead to an attacker making additional friends or contacts based on who is in your contact list to further the data gathering process."

"The group in question appears to be a highly skilled adversary with the resources to pull off this complex charade," Richards added. "When using social media, one should be wary of any unsolicited requests or messages from individuals who they do not know or have not met in person."