Wednesday, April 23, 2008

LinkedIn for Targets

Often times the company I work for is hired to do "open source reconnaissance" on a network or company. Basically this means seeing what information you can get about the company or its employees from public sources. Knowing how to use WHOIS, how to query DNS and especially how to use Google is a must in this area.

You'd be surprised what you're able to find. From the obvious things like DNS zone transfers to resumes of employees describing EXACTLY how they built the ASP-based web infrastructure for the company. This information can be a dream come true for a pen tester or an attacker.

But you really need to look beyond the things Google and other search engines give you when you do this. Checking out MySpace, Facebook, and other "social networking" sites can yield a gold mine of information. My biggest fave these days when doing these types of tests: LinkedIn.

IMO, LinkedIn is essentially a toned-down "corporate" MySpace. A virtual bar where everyone can see who everyone else knows and how they know them. With the latest features, you can even get profiles on a company, see who their other employees are and what they do. Great stuff for a pen tester or an attacker.

Thats why I was really interested when I saw a post from the CSIS Security Group about an experiment they did on LinkedIn and presented about at the Europe Fraud Conference. Essentially, they created a fake person, named John Smith, gave him some fictional work history and started sending invites to everyone they could. Anytime someone sent an invite to them, they
accepted. In the end, they had over 3600 contacts - 1115 of which had contacted them!

Now, imagine what a bad guy could do on a site like LinkedIn. After having established a valid-looking profile, which according to CSIS is pretty easy to do, they would look trustworthy to anyone who saw their profile. It would be relatively easy to create a company contact list for your target company at that point and begin a targeted campaign against those people. Given the malware targeting we've been seeing lately, I have to wonder if thats not already being done.

The presentation is located at http://www.csis.dk/dk/media/LinkedIn-Threats.pdf and a technical paper on it is located at http://www.csis.dk/dk/media/LinkedIn-V2.pdf. The technical paper was released in January so it may not be news to some people, but I think its worth a read nonetheless.

1 comment:

Tom said...

Good stuff. Interesting seeing all the new techniques that attacker are using targeting Web 2.0 sites. Paul from pauldotcom recently posted about the "evil twin" attack and how XSS is being used to expose "private" profiles. More here:

http://www.pauldotcom.com/2008/04/22/scamming_social_networks.html