Do you trust everyone that you’re friends with? Do you know who is behind each of your connections on LinkedIn, Facebook, Twitter, or Instagram?
Social media has lowered the barriers to social engineering and building fraudulent accounts to next to zero. All it takes is 15 minutes and an internet connection. At ZeroFox, we have found that these types of malicious profiles fit into one of two categories: Minimally Invested Profiles (MIP) or Fully Invested Profiles (FIP)
Some of the time, a social engineering profile is easy to spot for a security professional: indicators include a sparse profile, sexually provocative picture, or strange connections. This minimalist approach to profile creation capitalizes on only the fields necessary to appear in a search result, or more importantly, a friend request, and is optimized for bulk profile creation. Accounts like these are considered Minimally Invested Profiles (MIP).
An MIP is designed to target users who readily accept requests without doing any manual analysis of a profile. The attacker will fill out the fields necessary to appear legitimate in a friend or connection request. This varies by social network, but generally includes name, picture, job title, and location. The recipient of the request will only see this snapshot of the profile on their dashboard. A shocking number of users are comfortable accepting a connection request with such limited information — Norton reports that well over a third of social media users regularly accept unknown, unsolicited requests.
Minimally Invested Profile (MIP)
The alternative to an MIP is a more robust profile that is designed to fool just about anyone. The attacker can spend considerable time filling out as much of the profile as possible, gathering connections to appear legitimate, and taking time refining and editing the profile to pass a basic screening. Accounts like these are considered Fully Invested Profiles (FIP).
Networks like Facebook are slightly more difficult to build a convincing FIP because so much of the profile is dictated by other users. For instance, establishing a convincing Facebook “wall” either requires real users to interact with the profile or other fake accounts to post to the main attacker’s profile. However, for networks like LinkedIn, Twitter, Google+, Instagram, Pinterest, and YouTube, in which the majority of the profile’s content is self-generated, the attacker can build out the profile in relative isolation.
For a prime example of an FIP, check out the LinkedIn profile “Dr. Emily Crawley,” who boasts a compelling professional summary, a multitude of professional experiences, endorsements, recommendations, volunteer work, education, publications, projects, languages, skills, and actively follows several groups and organizations. Only after some serious digging does the profile unravel — the co-authors on her publications do not link to real accounts, her recommendations comes from a patently-fake Marine Corp General’s account, her connections are suspicious, and a reverse image search reveals that her profile picture is stolen from a Russian dating website.
One of the best ways for a regular user to manually assess a profile is to look at its connections. Are they mutual? Are they authentic? Are they numerous? To counter this kind of cross-examination, attackers invest time in building out connections before launching their attack on actual targets, a tactic called gatekeeper friending.
To this end, attackers must further select whom to engage with based on the identity of their final target. They must connect with the final target’s connections and interact with other movers in the target’s industry. Social engineering profiles thus frequently “specialize” by industry vertical or geography. Take Olga Redmon for example — her connections are mostly automotive employees in the Michigan/Ohio region. Who the final targets are remains to be seen.
Fully Invested Profile (FIP)