Open in app

Sign in

Write

Sign in

Automated LinkedIn Social Engineering Attacks

Section 9 Labs
Section 9 Lab
Published in
8 min readSep 1, 2014

--

Social Networks and Social Engineering were meant for each other. Nowadays, people willingly share their private information contact networks, updates, feelings, pictures and files through these networks, basically everything a social engineer perpetrator ever wanted …

Background

Corporations perform penetration tests on their network, web applications, physical infrastructure in order to find and fix vulnerabilities. In the same, way for the last decade these institutions have also been testing their workforce infrastructure to get an idea how aware and prepared they are against social engineering attacks. Sadly, even though you can have the strongest technical security mechanism, it keeps on getting proved that “human stupidity” will bypass any and all protections given a good enough and believable ruse.

Original Image

In addition, in the past few years social networks have grown to be one of the strongest nodes on the internet, with sites like Facebook, LinkedIn and Google+ on the lead. These networks are a perpetrator wonderland for data and victims — LinkedIn being the perfect phishing place for corporate victims. Company employees connect to co-workers and friends and automatically generate phishing networks for attackers that want to target a specific corporate network. In addition, to updates it provides methods such as InMail, groups, search filters, among other features to weaponize attacks on a specific company or group.

Original Image

Furthermore, if not attacking through Social Networks, these are still a great source for OSINT, allowing malicious people to obtain sensitive information about people, that they will be able to use on other on later stages of their attacks, but we will get into this techniques on a different post, to talk about some tools we created to do just that.

With all this information, security researchers and criminals find these a great land of opportunities. At Section9Labs we always want to bring the the most realistic attacks to our clients hence we been exploiting these vectors to offer Targeted Social Hacking services (TASH) to our clients and to expand research on these areas because we believe it is and will be a useful attack vector for years to come.

Attacks

Targeted Social Hacking, social network social engineering, or however people might call it, remain a very manual job within the Security Consulting arena, with the lack of open source tools capable of controlling accounts and tools capable of weaponizing these accounts.

Account Creation

First, accounts are needed, so an attacker or a consultant needs to create them by using manual or automated ways. Currently in order to do so, we either need to go through the process manually and create an account, buy them online and/or use some sort of automating script/tool capable of creating an account, usually through headless browsers such as watir, selenium or phantomjs — cough cough — we will be releasing a new tool sometime later this year.

http://linkedin.com default landing page

Once you have one or more accounts, you need to start populating them with connections. Depending on the target (corporate or individual) you will start populating your fake PERSONA with easy to trick people, usually sales contacts, recruiters, and other people that are not tech-savy and that depend on having a massive amount of contacts on their networks.

This will allow you to have a respectable amount of contacts to stop looking “phishy” for more security aware contacts that could easily target your impersonation at first but once you have a solid connection base and possibly other social networks linked to them, you might be able to trick most people.

Moving several step forward for the sake of this blog spot and who ever is reading it, let us assume we have a good fake profile waiting to be used.

Attack vectors

We have several ways of attacking a specific individual or group of individuals:

a) Internal Messages or InMails Send internal phishing emails just like you would for normal phishing emails, with the advantage that corporations would not be able to filter these messages.

New LinkedIn message window

b) Status Updates, allows the attacker to distribute attacks through news and updates that could lead the user to a vulnerable or malicious website or resource that the perpetrator controls — this is useful when attacking without really caring who you target. These updates could potentially be shared by your contacts and the attack could get out of hand or expand out of control. Not recommended if performing a targeted attack against a small group.

Random Status Update from one of our fake profiles.

c) Group messages or updates, This is ideal to target a specific group. An attacker could join or create a new private group and have full control of the extend of his/her attack and contain it within the boundaries of the private group.

LinkedIn groups

d) Advertisement Potentially we could use internal LinkedIn ads with malicious content, but given this is a paid service we decided to stay away from it for the time being. Although, given it is paid, it does raises the believe of being truthful and possibly could become a successful attack vector.

e) Job Postings Yet another possible way of reaching a desire audience, nevertheless, we have not use this attack vector and we will not discuss it further.

Having done these attacks manually several times we decided to start automating them through our newly created social engineering Cartero framework. Let us discuss what we currently have and what can be done with it.

Cartero

A robust Social Engineering Framework built around a CLI tool with multiple commands and operations. The framework is a direct result of work necessities at S9L on projects for our clients. Even though we use and know of very good projects out there, we were not able to find a fully customizable & suitable solution capable of solving our specific requirements.

The framework is divided into commands that perform independent tasks (i.e. Mailer, Cloner, Listener, AdminConsole, LinkedIn, etc…). Each command is a fully independent application on itself, but still able to work as a full stack solution for social engineering attacks.

For example, if we wanted to clone gmail.com, we simply have to perform the following commands.

❯❯❯ cartero Cloner --url https://gmail.com --path /tmp --webserver gmail_com
❯❯❯ cartero Listener --webserver /tmp/gmail_com -p 9090
Launching mongodb
Puma starting in single mode...
* Version 2.8.2 (ruby 2.1.1-p76), codename: Sir Edmund Percival Hillary
* Min threads: 4, max threads: 16
* Environment: production
* Listening on tcp://0.0.0.0:9090
Use Ctrl-C to stop
malicious gmail.com website, which could contain different exploits and payloads.

LinkedIn Command

The LinkedIn command is the first Social Network addition to the Cartero Framework allowing attackers to use the application platform to send messages and attack users.

❯❯❯ cartero LinkedIn
Usage: Cartero LinkedIn [options]
 -D, --data [DATA_FILE] File containing template data sets
 -S, --server [SERVER_NAME] Sets Email server to use
 -s, --subject [MESSAGE_SUBJECT] Sets LinkedIn Message subject
 -b, --body [FILE_PATH] Sets LinkedIn Message Body
 -l, --list [CONNECTIONS|GROUPS] List json of (connections or groups)
 --send [MESSAGE|GROUP_UPDATE]
 Send one or more (message/s or group/s updates)
 -o, --save [FILE_PATH] Sets LinkedIn Message Body

Common options:
 -h, --help Show this message
 --list-options Show list of available options

The command does requires a developer API and oauth key on the attackers profile, but this can be easily obtained in

https://www.linkedin.com/secure/developer

and a new server templates can be created with the Servers command as it is shown on the snippet below:

❯❯❯ cartero Servers --add linkedin_xyz -T linkedin
Server linkedin_xyz Created. ❯❯❯ cat ~/.cartero/servers/linkedin_xyz.jon{
  "name": "linkedin_xyz",
  "type": "linkedin",
  "options": {
    "api_access": "api_access_key",
    "api_secret": "api_secret_key",
    "oauth_token": "oauth_token_key",
    "oauth_secret": "oauth_secret_key"
  }
}

Once we have a “server” or “API LinkedIn User”, we can now simply refer to this configuration and use it— yes, I’m lazy. This was created this way so we can create as many configurations and programmatically script them out if necessary.

Technically speaking we only need to create one developer key for one user and obtain oauth_token and oauth_secret for the other users, but this does limit the extend of our attack and allow LinkedIn to quickly identify and delete the application API if found to be “malicious” in nature.

Going forward, as we mentioned we have multiple ways of interacting with users and performing social engineering attacks with our LinkedIn victims. Currently Cartero supports A “Messages” and C “groups”. Note: We could easily implement status updates, but we have not done it yet. ☺

In order to send a message there are several ways of doing it, but the basic command requires a server [-S], a data set [-d], a message [-b or pass the “message” : “” on one or more data entity] and a subject [-s or pass it as “subject” : “” for one or more data entity]

The data sets can be downloaded using one of the LinkedIn options [—list connections|groups] depending on what you want to send messages or group_updates

❯❯❯ cartero LinkedIn -S linkedin --list connections -f linkedin_data.json
❯❯❯ cat linkedin_data.json
 {
 "id": "XXXXXXXXX",
 "name": "John",
 "last": "Carter",
 "title": "DevOps at Company X"
 },
 {
 "id": "YYYYYYYY",
 "name": "Chris",
 "last": "Doe",
 "title": "Security Engineer at Company X"
 },
 {
 "id": "ZZZZZZZZ",
 "name": "Javier",
 "last": "Doe",
 "title": "Engineer at Company X"
 },
 {
 "id": "WWWWWWWW",
 "name": "Horacio",
 "last": "Ninguno",
 "title": "Business Admin at Company X"
 },❯❯❯ cartero LinkedIn -S linkedin --list groups -f linkedin_group.json
❯❯❯ cat linkedin_group.json [
 {
 "id": "37658",
 "name": "Black Hat"
 },
 {
 "id": "1403037",
 "name": "Malware Virus and Exploits"
 },
 {
 "id": "762347",
 "name": "Over The Wire"
 }
]

Messages — In order to send a message we use the [—send MESSAGE ] option and add the above mentioned data as was shown above. If a data set is not yet obtained the command provides a simple way of downloading the relevant information and storing it in a usable format.

❯❯❯ cartero LinkedIn -S linkedin_xyz -D linkedin_data.json --send MESSAGE --body message_body.template --subject "Testing Cartero"

Group Updates — The concepts and requirements from the above mentioned command are required but the target changes using the [—send GROUP_UPDATE ] option, as it is shown on the snippet below:

❯❯❯ cartero LinkedIn -S linkedin_xyz -D linkedin_group.json --send GROUP_UPDATE --body body_message.template --subject "Testing Cartero"

Final Thoughts

Social networks are a great place for social engineers and as the world gets more interconnected more and more attack vectors will show up and become mainstream ways of attacking people and corporations.

After using the tool we know there is a lot more work that could and should be done— there is always is ☺; but we felt it was important to share it given that it is an interesting starting point for automation in the social engineering arena.

Sympathy for evil, the nature of our game.

--

--

Section 9 Labs
Section 9 Lab

Written by Section 9 Labs

33 Followers

Security Consulting

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams