MI5 and FBI sound the alarm on online espionage with LinkedIn a prime target
Foreign spies are using fake LinkedIn profiles on an “industrial scale” to gain information about the United Kingdom’s national security, with more than 10,000 “disguised approaches” detected by MI5 in the last year. The warning from the Centre for the Protection of National Infrastructure comes as the FBI cautioned that North Korean agents are posing as IT workers to gain access to businesses in the US.
“Many of these profiles are established as an elaborate ruse for eliciting details from either officials or members of the public who may have access to information relating to our national security,” said cabinet office minister Steven Barclay, whose portfolio includes cyber security. “It is therefore crucial that we do all we can to protect ourselves and our information, ensuring those who we connect with online are who they say they are.”
Why are fake LinkedIn profiles being used by spies?
According to Ken McCallum, director general of MI5, the agency had detected more than 10,000 attempts on professional networking sites like LinkedIn targeting people across the country in the past year. “Foreign spies are actively working to build relationships with those working in government, in high-tech business and in academia,” he added.
The nature of LinkedIn as a networking platform and the amount of personal and professional information posted makes it an ideal target for espionage purposes and general criminal activity. “LinkedIn is a platform in which people are used to having unknown people approach them, which provides the attackers good grounds to lure victims,” says Omer Dembinsky, research manager at the cybersecurity firm Check Point.
Recent research conducted by the company shows that fake LinkedIn details were used in 52% of phishing attacks detected in the first quarter of 2022, up from 8% in the previous quarter. The business social network now accounts for more than half of all phishing-related attacks globally, according to Check Point’s research.
The scale of the problem can be understood through the sheer amount of fake profiles on the professional networking site. Data from LinkedIn’s most recent transparency report shows that during the first six months of 2021, 11.6 million fake accounts were detected and stopped at the registration stage. In 2020 during the same period and stage, 33.7 million accounts were disrupted, an increase from 19.5 million the previous year.
According to the same report, 3.7 million fake accounts were successfully created in the first half of 2021 until they were “restricted proactively”, before other LinkedIn users flagged them. This was an increase from 3.1 million in 2020, and from two million in 2019.
“Our threat intelligence team actively seeks out signs of state sponsored activity and removes fake accounts using information we uncover, and intelligence from a variety of sources, including government agencies,” said a LinkedIn spokesperson. “Our Transparency Report sets out the actions that we take to keep LinkedIn a safe place where real people can connect with professionals they know and trust, including that 97% of the fake accounts we removed were blocked at registration.”
But new research conducted by academics from the University of Portsmouth’s criminology department has found a low level of awareness among LinkedIn users in the UK about the potential threat from state actors using fake profiles. The study found that UK-based users were most likely to think of trolling and fraud as the main motives for fake profiles, compared to economic espionage. Three quarters of those surveyed also said that they had knowingly received invitation requests from suspicious profiles.
An app developed by behavioural scientists in partnership with the CPNI was also released yesterday with the aim of helping individuals report and identify fake profiles on LinkedIn. The app, called ‘Think Before You Link’ features several modules for users to familiarise themselves with indicators of fake profiles and a ‘profile reviewer’.
North Korean spooks posing as IT workers – FBI
Meanwhile across the Atlantic, the Federal Bureau of Investigation (FBI) issued a warning yesterday of attempts by North Korean IT workers to gain freelance employment from clients in North America, Europe and East Asia. The work might include mobile app development, artificial intelligence-related applications, virtual reality programming, as well as facial and biometric recognition software. According to the FBI, the Democratic People’s Republic of Korea “dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to weapons of mass destruction and ballistic missile programs, in violation of US and UN sanctions.”
The agency said that North Korean IT workers often represent themselves as freelancers based in the US and may even sub-contract work to non-North Koreans to obfuscate their identities further. While these IT workers “normally engage in IT work distinct from malicious cyber activity”, the advisory warned that contractors have used their privileged access to company systems to “enable the DPRK’s malicious cyber intrusions”.
“Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors, although the IT workers are unlikely to be involved in malicious cyber activities themselves,” the report said. But these IT workers “may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors, or assist with the DPRK’s money-laundering and virtual currency transfers.”
Companies that employ freelance developers were told to be on the lookout for several suspicious indicators that might involve the use of “PRC-linked” digital payment services, inconsistencies in a freelancer’s CV, and cold-calls from individuals posing as C-suite level executives of software development companies to offer services and advertise proficiencies.
Freelance work and payment platform companies were also told to keep an eye on multiple logins into a privileged account from various IP addresses associated with different countries, frequent money transfers through PRC-based bank accounts, and the repeated use of templates for bidding documents and project communication methods.