July 30th, 2007


LinkedIn phishing?

Today, as so often lately, I got a LinkedIn invitation from an old colleague who I haven't seen in a number of years. In this particular case, it was the CEO for my last company, who I had actually been looking for at one point, when I thought it might make sense for my current company to buy the old one's IP.

And it suddenly occurred to me: how the heck do I know that it's actually him? I mean, LinkedIn allows anybody to claim a particular identity -- I can say that I'm person X, formerly company Y, and they don't do much to check that. They let me send out invitations to all of my "colleagues" from that company, and those colleagues are likely to simply accept me at face value. They lend a wholly spurious imprimateur of legitimacy to me, simply because I claim to be that person. Heck, they even *encourage* me to make contact with everyone from company Y, and make it as easy as possible to do so. I haven't looked at it in detail, but it appears to me that LinkedIn's trust model is badly broken: it provides just the right combination of privacy and communication to make identity theft really easy.

So here's a prediction: if it hasn't happened already, we're going to see a quiet rise in highly targeted, very dangerous social-engineering attacks conducted via LinkedIn, and possibly other systems like it. It will be used to convince a target that the hacker is an old associate, and the resulting trust will be leveraged for criminal ends.

Given the rise of targeted phishing (one of the news stories of the past couple of months is the fall of generic spam, and the rise of targeted criminal phishing attacks aimed at C-level executives at companies), I think this one's damned near certain. The crooks aren't dumb enough to miss this opportunity, and it's going to force LinkedIn and companies like it to rethink their procedures after a few good scandals arise...