Only a Test, Right? CISO Tests Staff with LinkedIn Scam

What would happen if a CISO launched a social engineering campaign against his own security staff? That’s what Graham McKay, CISO at DC Thomson, a large UK media organization, wanted to test through a LinkedIn scam.

According to IT ProPortal, McKay established a LinkedIn scam account in an attempt to connect with his own staff using social engineering techniques.^[1] Social engineering is the psychological manipulation of people into performing actions or divulging confidential information.^[2] In this case, the McKay was successful on both counts. Within one week, 28 of McKay’s employees had connected with his LinkedIn scam account: 89% of which accepted through a link – one of the most simple phishing methods employed via social media.

Curious as to what would unfold if he escalated his exploit, McKay used his fraudulent profile to monitor postings on social media networks. He was concerned to find that some employee posts were in direct violation of DC Thomson’s social media policies. Worse, he discovered employee posts that divulged details around DC Thomson’s private clients: information that even most executives do not have the authority on which to comment.

McKay, understandably disturbed by the results of his social engineering campaign, took immediate action. He messaged his staff, exposing the LinkedIn scam campaign and notifying them of their compromise. When asked why they accepted the connection requests, the employees replied that the connection attempts seemed work-based, and so they did not question their origin. Furthermore, several days after revealing this information many employees remained connected with the LinkedIn scam account, and more continued to connect as they blindly accepted connection requests.

McKay’s findings, while shocking, are not uncommon in large enterprise organizations. Impersonators on social media are skilled in the arts of deception and manipulation, leveraging identity and information to expose sensitive information, intellectual property, client information, or any other “juicy data.” Exposure via social media attack campaigns can negatively impact corporate assets immediately and long-term. Immediate remediation of breaches cost organizations billions of dollars every year. Longer-term ramifications of breaches can lead to diminished reputation, brand, or market leadership position. A LinkedIn scam is just the tip of the iceberg when assessing the social media threat landscape. McKay’s experiment proved how easily malicious actors can infiltrate an organization, which poses a critical question: how would your organization compare?

While one would hope that this would not be the case with your own security team, this may not be true. The trust associated with the social networks makes them a prime location for cyber criminals to lurk. Each week we hear of a Twitter hack, Facebook scam, or social media account takeover that impacts a person, brand or both. LinkedIn and the potential benefit of being connected with somebody whose network can help you is also one of its largest security concerns.

^[1] Source: Loynes, T. (2014, May 19). One CISO, one fake LinkedIn account: Here's what he found out about his staff. ITProPortal. Retrieved May 22, 2014, from http://www.itproportal.com/2014/05/19/one-ciso-one-fake-linkedin-account-heres-what-he-found-out-about-his-staff/
^[2] Source: Social engineering (security). (2014, May 21). Wikipedia. Retrieved May 22, 2014, from http://en.wikipedia.org/wiki/Social_engineering