Recent revelations concerning the techniques used by the spy agency, GCHQ to ‘protect’ the UK highlight some of the shadier methods it deploys for online surveillance or to manipulate and distort online discussion. Many of the techniques deployed by GCHQ bear a disturbing resemblance to those used by cyber criminals for their own commercial gain and in corporate espionage.
For example, GCHQ’s catalogue lists all manner of tools for mainly nefarious purposes, such as “mass delivery of email messaging to support an Information Operations campaign”, “mass delivery of SMS messages to support an Information Operations campaign”, “find private photographs of targets on Facebook”, “a tool that will permanently disable a target’s account on their computer" and “the ability to spoof any email address and send email under that identity”.
Perhaps it should come as no surprise that GCHQ is emulating techniques that have proved so successful for cyber criminals but that doesn’t make it any less disturbing. Nevertheless, from a commercial point of view, there’s no escaping the fact that these different types of cyber criminal attacks have proved very effective.
Today, serious and organised cyber crime is a far cry from a lone hacker sending out anonymous malware from their bedroom. Phishing, for instance, has flourished in recent years. Cyber criminals are using the increasingly sophisticated method of phishing to target businesses, resulting in tarnished reputations and loss of sales. The number one priority for any business suffering from a phishing attack should be to protect its customers and to never lose its identity.
But that’s not as easy as it sounds.
The availability of personal information via social media has made the process of making phishing messages sound more convincing a lot easier for cyber criminals. At the same time, businesses of all sizes are failing to educate their users to be vigilant at all times, especially in their personal online activities.
One service that makes a virtue of interleaving the social and business is LinkedIn. Sadly, it’s also one of the most effective platforms for launching phishing attacks with one of the most successful methods of hitting a company with a targeted attack is to disguise it as a simple LinkedIn email.
A recent study reported that click through rates for malicious attacks disguised as LinkedIn invitations was four times as high as for other social networking sites.
That’s understandable when you consider the nature of the platform itself. LinkedIn users naturally assume that emails or invitations to connect delivered through the site are work-related or businesslike. That assumption extends to the platform itself. This probably explains why a survey conducted by Barracuda found that LinkedIn has the lowest number of users who feel unsafe compared to other social media sites. It also accounts for the fact LinkedIn is the social site that employers are least likely to block or limit access to.
People tend to trust information received from LinkedIn more than other social media platforms, which accounts for the much higher click-through rates compared to Facebook friend requests or Google+ adding circle invitations. But users should be aware that their LinkedIn settings don’t block unwanted spam. Several default settings on users’ privacy controls are set to receive LinkedIn marketing emails. Most users never even look at these settings but it’s important for them to take a minute and check their profile, privacy and email settings to make sure they are not sharing data with third parties or publicly displaying too much information. Unless they want to receive emails from certain LinkedIn Groups, they should uncheck all boxes in “Privacy & Setting”.
As for LinkedIn invitation to connect emails, the best advice for anyone who receives what they believe might be a bogus invitation is to avoid clicking any links included in the email. Anyone receiving an email claiming to come from LinkedIn, even if they know the person supposedly sending the invitation, should visit the LinkedIn site directly to confirm the request rather than clicking on the link.
The other point worth making about LinkedIn compared to other social networks is that an individual’s connection to a former work colleague is likely to be weaker, less distinct and less- informed than it might be with a friend. As a consequence, it is much easier for cyber criminals to trick victims into connecting to a false ‘old colleague’ than it would be with an old friend. When you combine the natural vagueness of information and recollection that people have around former work colleagues and a platform that they consider the most trustworthy and professional, the potential for malicious attacks is significantly increased.
Businesses may well be aware of their potential vulnerabilities to attacks via the more personal social networking sites but they need to ensure they are not lulled into a false sense of security just because a particular social networking site appears less personal and more professional.
Dr Wieland Alge is VP & General Manager Europe, Middle East and Africa at Barracuda. He is responsible for Barracuda Networks business in Europe, Middle East and Africa. Before this he was CEO and co-founder of phion AG, which merged 2009 with Barracuda Networks. With many years of experience in the planning and deployment of international security projects, Alge has also a profound knowledge of the user’s and administrator’s perspective on security.
Alge was lecturer and Scientific Assistant at the Institute for Theoretical Physics at the University Innsbruck. In the year 2008 he won the recognition 'Entrepreneur of the Year' from Ernst & Young.