The fake profiles claimed to be recruiters, so as far as the victims were concerned, it made sense that these "people" were reaching out unsolicited. Even so, Dell SecureWorks recommended first trying to verify the person is legitimate by contacting the employer directly.
Attackers could establish a direct relationship with the victim by sending a connection request from the fake network. They could also try linking one of the target's connections. "It may be easier to establish a direct relationship if one of the fake personas is already in the target's LinkedIn network," the researchers said.
Users should "adopt a position of sensible caution" when engaging with unknown individuals who claim to have mutual connections. Just because that person is in a colleague's or friend's network doesn't mean the person is trusted. Verify outside of LinkedIn who the person is before divulging information.
Several of these profiles have as many as 500 connections, indicating the group had developed deep networks with victims and had access to a lot of shared information. Once the victim accepts the LinkedIn request, they are more likely to share personal information when asked, because the person is no longer a stranger, but a connection.
"The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas," the researchers said.
The attackers in this campaign focused on the mobile telecoms sector in the Middle East/North Africa region, with the majority of the victims based in Saudi Arabia, Qatar, and the United Arab Emirates. It's possible the attackers were interested in just stealing data, such as subscriber and billing information for cyber-espionage purposes, or perhaps they were trying to access the telephony networks to intercept communications.
The geographic location of the victims and the industries they work in "fall in line with the expected targeting behavior of a threat group operating out of Iran," researchers said. The fact that some of the fake profiles referenced aerospace companies may be a sign the attackers are shifting their focus to that industry next.
LinkedIn makes it easier to accept invitations to connect with others than to "archive" connection requests. Next time, before you click the Accept button, make sure you know the person behind the profile.
Sign up for MIS Asia eNewsletters.