LinkedIn Fakes Targeting You

Update September 15, 2017

Phishers Spread Malicious Links Via Hacked LinkedIn Accounts

Info Security, 9/15/2017

Researchers are warning of a new phishing campaign using hijacked LinkedIn accounts to send malicious links in private messages and InMail. Jérôme Segura, lead malware intelligence analyst at Malwarebytes, made the discovery, revealing that the fraudulent messages sometimes come from hacked Premium accounts. “The fraudulent message includes a reference to a shared document and a link that redirects to a phishing site for Gmail and other email providers which require potential victims to log in,” he explained. “Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on wealth management from Wells Fargo.” The phishing messages in question abuse link shortening service ow.ly and free hosting provider gdk.mx to redirect to the phishing page, which is hosted on a hacked website, Segura added.


Update March 16, 2017

Apparently, Saudi Arabian Princess Ameerah bint Aidan bin Nayef Al-Taweel Al-Otaibi is a well known personality, which makes her an unusual choice for a fake LinkedIn profile with over 500 contacts, much less multiple fake profiles, but here we are.

Update September 18, 2016

Here is another fake with over 500 connections, conflicting and minimal information, and a penchant for targeting homeland security individuals.

There is no presence for an Arianna Jonathan on the Internet in America (there does appear to be one in Italy), although there are instances of Arianna and Jonathan getting married. The picture returns zero instances from both Tineye and Google Image Search.

She lists her job as being at Ronato Inc. in one place and at Harman International B in another. There is a Harman International; the B is unexplained but even if you assume it’s a typo that leaves us Ronato, which dissolved in 1990 (https://www.corporationwiki.com/p/2o0648/ronato-inc). Regardless, would someone with an MBA list it as a certification without at least putting the university (under Education she put “Bachelor’s degree, Human Resources Management and Services” from Arizona State University)?

I recognized a well-known homeland security writer in the list of shared connections and asked for a vouch for Arianna. This is the response I received:

“She sent me a request a couple of weeks ago and I accepted. After receiving your message, I reviewed our “mutual” acquaintances and it appears that she is linking in with homeland security folks. I just removed the connection.”

Update September 10, 2016

The Department of Defense has a series of “Smart Cards” with advice for online privacy settings. There are no security restrictions on these cards, so they can be shared publicly. One addressing LinkedIn is available from the Public Intelligence website.

The card has two pages of advice such as:

  • Only establish and maintain connections with people you know and trust. Review your connections often.
  • Assume that ANYONE can see any information about your activities, personal life, or professional life that you post and share.
  • Ensure that your family takes similar precautions with their accounts; their privacy and sharing settings can expose your personal data.

It also suggests specific profile privacy settings. For example, regarding your connections: “Select who can see your connections. Set to Only You. Note: People will still be able to see connections who endorse you and connections they share with you. Don’t want your endorsements visible? Just choose to opt out. “

The document is online in Adobe Acrobat (.pdf) format here.


Update August 15, 2016

Debra Phifer is a fake profile. A search of her avatar using tineye.com reveals the picture is of a woman named Stephanie who is the subject of a documentary about Latina graduates (http://www.pbs.org/independentlens/videos/latina-student-faces-present-day-school-segregation/).

The company “Debra” works for does not exist outside of Indonesia. Her entire listing has one job and one degree. Yet, somehow, “Debra” has conned over 500 people into linking, including high ranking state officials and tech leaders.

This is the first fake I have seen that purchased the premium membership, though. This addition apparently makes the listing the first among equals — if you search LinkedIn for Debra Phifer, this listing comes up first of ten Debra Phifers.

Who Cares/So What?

Why is any of this noteworthy? Two reasons: first, linking provides a direct communication method to individuals that bypasses many security provisions in place for other methods, and second, it gives the requester access to information about an individual’s background, habits, and relationships, which can be used for doxxing (see for example http://www.vachiefs.org/index.php/news/item/doxxing_the_new_threat_posting_personal_info_of_officers_and_their_families).

Final note for this entry: in addition to the new tactic of purchasing premium memberships, some fake accounts are also “endorsing” people for skills and expertise. I know this because I was asked to link with an account I knew was fake and I notified several friends who had accepted the link. The fake account had started endorsing my friends, which the actual person had not done, and my friends are now deciding which one they like better.

Update August 10, 2016

How to report Fake Profiles (as of August 2016)

To flag inappropriate or fake profiles directly on LinkedIn, (i.e. profiles that contain profanity, empty profiles with fake names, or profiles that are impersonating public figures), please follow these steps:

  1. On the profile you want to report, hover your cursor over the Dropdown arrow next to Send a Message or Send InMail/View in Recruiter in the top section of their profile.
  2. Select Block or Report.
  3. Click the box next to Report.
  4. Select a reason for flagging the profile.
  5. Click Continue.
  6. Select Agree.

Meanwhile, on Facebook:

James, we both know the answer to this, don’t we?

Update July 28, 2016

Someone has too much time on his or her hands.

Update July 6, 2016

Dear Former House Majority Leader @EricCantor: a fake LinkedIn account had the good taste to use your picture and has conned 59 people so far. Thought you would want to know.

Update May 23, 2016

Josh Peppertown can’t keep the name of his employers straight. Sad because he’s worked there eight years. Not. This one is a first for me, though, because the LinkedIn presence is the ONLY place on the Internet you will find Mr. Peppertown.

An Internet search using a popular search engine turned up only 45 results, and all of them, I mean ALL of them, are LinkedIn accounts. Web searches usually pick up multiple LinkedIn accounts because they appear on other LinkedIn pages as people who were also viewed or searched or you might want to look at.

Of the other results, I’ve already introduced you to the nonexistent Todd Betterworth and, in fact, his profile has disappeared from LinkedIn. Sarah mills weeks might be someone with a playful sense of humor and over 500 friends, but more likely is a somewhat more elaborate fraud. She has two twitter accounts that issued a few tweets and retweets then stopped. She also has a Facebook page that is current and active, but it’s almost all reposts that appears automated.

That leaves Tom Smith, and you can draw your own conclusion:

Update May 5, 2016

Asheesh Singh is clearly a fake, but at least it’s an entertaining one, as he describes himself as a personal business analyst in Cameroon who likes photography, with no further details, absolutely none. A reverse image search this time leads us to another LinkedIn account, a gentleman who appears on multiple websites and whose LinkedIn bio is well filled out. You can see the difference below.

It’s not immediately clear who or what is being targeted. Asheesh at this point has 270 connections, but only two are linked to me, so I have a sample of three to work with. It appears his visible current connections and I share only two things: living in Texas and being named Steven. Is there some conspiracy against Stevens?

Update April 22, 2016

Yeah, Jack Middleton, who left Waco for NYU but flunked spelling and returned to Waco, you don’t exist. Not only that, but you used a picture of a member of the Vietnam Helicopter Pilots Association (#722, McElheny and Tucker). And you’ve conned one state senator, three state representatives, a reporter, a ton of lobbyists — over 500 people into linking to you with little more than that.

And here’s Kaye Bean, who also doesn’t exist. The creator of this persona wants you to think Kaye was a legislative staffer in Pennsylvania who moved to Texas to work for a moving and storage company, but keeps an interest in politics. Kaye is new here, didn’t even list a college. But yes, the picture is from a porn site.

Update April 21, 2016

Arriving today in the inbox: ANA Harvey, who does not exist but according to Tineye.com bears an astounding resemblance to Kelly Clarkson. She shares a connection with me — a retired police chief who will be hearing from me shortly.

The company she claims to work for, TMDGLLC, has a company listing on LinkedIn with more than 40 very photogenic employees. Pulling some out, “AMANDA” Black appears to be an accountant who moonlights as a model for no-iron blouses.

Hazel Romero and Cassandra Lambert are stock photos. Rich Krueger appears to be real. Yay Rich!

Feel free to try your hand at this.

Original article posted April 17, 2016

The picture is too perfect, it screams stock photography. I got curious and searched on the name, picture, and company.

April Karr https://lnkd.in/bgX75D7 doesn’t exist. That picture is a Shutterstock photo. The company listed doesn’t exist. There’s minimal info in the LI profile. It’s a fake. A fake that more than 500 people so far have bought in to.

Whoever’s behind it has an active program aimed at government professionals. LinkedIn says 304 of my largely government-related connections have accepted April’s invitation. I’ve received at least three invitations from her.

The fakes get better

And then there is Sally Kosboys: https://lnkd.in/bRhvC8U .

Same story — minimal info, appears to be a government person, invite sent to government types. 311 of my friends bit on that one.

One twist here is that Sally also has a fake Twitter account (https://twitter.com/Kosboys) with one suggestive tweet from 2012 to her credit (“Entertaining clients at Aureole’s tonight”) and 249 followers.

Another twist is the source of Sally’s picture. Here it is in context:

And here’s the equally bogus Paul Kosboys https://lnkd.in/b2n5fVU. Poor Paul — in 39 years as head of a public relations firm, he has yet to set up a company website, and on LI he’s only managed 28 connections.

Here’s a clever LinkedIn fake that further evidences the targeting of government employees: Teresa Kraft https://lnkd.in/bCJaBfF.

Just enough info in the fields to look legit but be hard to check. The motive for this one seems clearer than the other ones — sell a product to government professionals and wannabes.

Are you spending endless hours searching for political and government jobs in Washington D.C? What if you could stop the endless search and go to a one stop shop to begin or advance your political career. Find the jobs that are usually only available to insiders on the #1 political job aggregator in Washington D.C…

The picture is stolen from another LI account, Sara Beery https://lnkd.in/btJn4DM — an image search finds the same photo, uncropped, elsewhere on the Internet.

I question whether anyone associated with Teresa’s alleged place of employment actually exists.

Here’s Todd Betterworth — looks like he’s made over 500 friends, or would have if he actually existed. You’ll find the original photo at what appears to be a site by someone who really likes coveralls, http://www.coveralls.co.uk/. Looks like if you are in the oil or gas industry, you’d want to think twice before linking to this guy.

I wonder why so many have fallen for these, but I don’t wonder what the intent was when “Teresa” or any of these others sent me an invitation. It can’t be good.

This is an expanded version of an article I originally published on LinkedIn.