Fake CISO Profiles On LinkedIn Target Fortune 500s

Security researcher Brian Krebs writes: Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world's largest corporations. It's not clear who's behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources. [...] Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week. "It's interesting the downstream sources that repeat LinkedIn bogus content as truth," Mason said. "This is dangerous, Apollo.io, Signalhire, and Cybersecurity Ventures." [...]

Again, we don't know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms. None of the profiles listed here responded to requests for comment (or to become a connection).

LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a "created on" date for every profile. Twitter does this, and it's enormously helpful for filtering out a great deal of noise and unwanted communications. The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter's verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer. Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company. In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down. "We do have strong human and automated systems in place, and we're continually improving, as fake account activity becomes more sophisticated," the statement reads. "In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community -- around 96% of fake accounts and around 99.1% of spam and scam."

be linkedout

[awwshit]

LinkedIn has become a cesspool of fraudulent activity. Every time we hire someone and they updated LinkedIn they start getting email from the 'CEO' asking for a personal cell number, and then follow ups asking to buy gift cards in a hurry. Thanks LinkedIn.

Too bad reporting fake profiles does nothing

[dongle22]

We had several fake CEO accounts pop up from my company over the past several years, and reporting them apparently does nothing as most of them are still there.

I don't get it

[quantaman]

For something like FB or Twitter I get how it would be difficult to stop people claiming fake employment, but LinkedIn??

Their whole thing is about connecting professionals, companies have LinkedIn pages, how is it that the admins for those pages can't at the very least automatically red flag accounts that falsely claim current employment?

This doesn't seem like it should be a difficult problem.

Re:

[pauljlucas]

How would an admin know it's a false claim? They'd have to go to the company's website and look up who the CxO is. For someone claiming a role below CxO, an admin would have no way to verify the claim since companies don't list employees below CxO level on their websites.

Re:

[quantaman]

How would an admin know it's a false claim? They'd have to go to the company's website and look up who the CxO is. For someone claiming a role below CxO, an admin would have no way to verify the claim since companies don't list employees below CxO level on their websites.

For a small company it's easy, there's not many employees.

For a big company and a senior position it's again fairly easy, there shouldn't be that many senior folks showing up and when one does it shouldn't be that hard to check with HR that the account corresponds to a new hire. The biggest problem is actually just figuring out people who are claiming a title (since they're potentially using different words), but a report of all the names & titles of new hires since X should be simple enough for an comp

Re:

[pauljlucas]

For a small company it's easy, there's not many employees.

Please explain exactly how an admin would do the verification.

For a big company and a senior position it's again fairly easy, there shouldn't be that many senior folks showing up and when one does it shouldn't be that hard to check with HR that the account corresponds to a new hire.

So the admin is going to look up the company's telephone number, call them, ask to speak to someone in HR, and said someone is allegedly going to verify employment?

If

Re:

[quantaman]

For a small company it's easy, there's not many employees.

Please explain exactly how an admin would do the verification.

For a big company and a senior position it's again fairly easy, there shouldn't be that many senior folks showing up and when one does it shouldn't be that hard to check with HR that the account corresponds to a new hire.

So the admin is going to look up the company's telephone number, call them, ask to speak to someone in HR, and said someone is allegedly going to verify employment?

If you don't mean they'd do it by phone, then, again, please explain exactly how they'd do the verification.

That would take a lot of phone calls for the over 300 million companies that exist in the world [statista.com]. Even if you assume only one person joins or leaves one company per day (a gross underestimate), that's over 300 million verifications you'd have to do -- every single day.

For all of those examples you seem to think LinkedIn is doing the verification.

But Companies have their own pages on LinkedIn, and employees are linked to those pages. The employees of the company who have permission to administer those pages should also have permission to people from falsely linking their employment info.

For a big company and a more junior position now LinkedIn needs to build some kind of API that folks could link into their HR system (plus maybe some rules like email verification). The API isn't trivial but the option for email verification should be pretty damn easy.

Why should any company trust LinkedIn, their API, or to safeguard their data? The list of employees at a company would be a recruiter's pot o' gold.

The company isn't giving LinkedIn access, they're sending out requests for lists of people (name, email, claimed title) who claimed to work there via LinkedIn and giving that company the a

Re:

[pauljlucas]

The employees of the company who have permission to administer those pages should also have permission to people from falsely linking their employment info.

For large companies, that would get burdensome, assuming they keep up-to-date with both adding new employees and removing former employees.

But even if I grant that they could do that, it would simply becomes an arms race. I just tried the experiment of adding a new position for myself working at Microsoft. (I have never worked at Microsoft and never

Re:

[quantaman]

The employees of the company who have permission to administer those pages should also have permission to people from falsely linking their employment info.

For large companies, that would get burdensome, assuming they keep up-to-date with both adding new employees and removing former employees.

I'd be shocked if they didn't have a full list of employees somewhere in their HR system.

The bottom line is you can spoof the company name.

And work for a version of Microsoft with 10 employees. Still useful in a scam, but a lot less convincing.

People can have LinkedIn accounts and be self-employed, so naturally they'd use their own e-mail address. If at some point they work for a company, why should they be forced to change their e-mail address on LinkedIn?

As I mentioned in my comment, they're not changing their e-mail address, they're just listing it for a one-time verification code.

It might also open LinkedIn to liability if they claim that the companies people claim to work for are accurate. If one slips through and damages the reputation of the company, LinkedIn might be on the hook even if you shift the burden to the company to do the verification. The plaintiff can always sue LinkedIn also and, even if LinkedIn wins, they still would have had to go through the hassle of defending themselves. However, if they state they they do no verification of anybody's profile, then they can't be held liable for bad information. From their perspective, it might not be worth the headache to do verification.

They're only liable if the verification screwup was LinkedIn's fault and not the companies.

Otherwise, I think they're actually more liable now since people are actively scamming companies

Re:

[gurps_npc]

They can use the actual, true name of the employees.

The problem is not caused by people falsely claiming that John Smith is the CEO of Tesla, but instead claiming that they are in fact Mr. Elon Musk, CEO of Tesla. Here is a picture of me, taken directly from the company website. Yes, my email is ElonMusk@duck.com. And my current mailing address is "51 Winnie Square, Hong Kong, China."

Re:

[drinkypoo]

It's not in fact a difficult problem to mitigate satisfactorily. TFA explains what they should do to improve the situation.

1. display the date of profile creation, this is beyond trivial so there's no excuse for not doing it. even a contractor who's never seen their system should be able to figure it out in less than an hour. it should take them about one minute to implement (literally) and they should already have sufficient automated testing in place to be sure it won't break something. But it's Microsoft