Want someone to click on your targeted attack? Disguise it as a LinkedIn message
Hopefully, by now, we all understand the threat posed by targeted attacks, and how online criminals might attempt to target specific individuals inside your organisation.
Unlike the huge, mass-mailed attacks of yesteryear like the Sobig and MyDoom worms, targeted attacks don’t try to infect as many computers as possible as that would draw far too much attention to themselves.
No, they’re interested in compromising a small number of particular computers, in order to establish a beachhead inside your company through which data can be stolen, and potentially other attacks can be launched.
So, what is one of the key ways in which they might attempt to trick your staff into clicking on a dangerous link? The simple LinkedIn invitation to connect email.
On Thursday I was lucky enough to participate in a session at the “IT Leaders’ Forum”, held at the London Stock Exchange, which saw the IT chiefs and CSOs (Chief Scapegoat Officers) responsible for protecting some of the UK’s leading companies gather to share their experiences and learn how to convince the board to take security seriously.
The forum, run by the good guys at Computing magazine was well attended and informative, and I found one of the most interesting presentations to be that given by Proofpoint’s Mark Sparshott who discussed some of the security firm’s latest research.
And one of the factoids Mark revealed was that, according to Proofpoint’s research, bogus LinkedIn connection emails are remarkably successfully at tricking users into clicking.
The most effective email templates for attackers who want their victims to click are social network communications, financial account warnings and bogus order confirmations.
However, click rates on malicious campaigns pretending to come from LinkedIn are twice as high as those of other campaigns seen by Proofpoint in the recent past. Indeed, the click rate on bogus LinkedIn emails are four times that of campaigns that use other social networking brands.
In a nutshell, users who receive emails which appear to be LinkedIn invitations to connect from others find it remarkably hard to resist clicking. Proofpoint says that users click on malicious LinkedIn invitation templates a staggering eight time more than they click on all types of LinkedIn emails and notification emails.
Users can tell apart spam annoyances from useful email, however, it is getting more and more difficult for users to tell apart phishing email as unsolicited email and notifications from popular services are common. Given the nature of professional social networking, and specifically the popularity and trust enjoyed by the LinkedIn brand, it is frequently used as a malware campaign template and serves its purpose in enticing users to click.
The attackers know that these disguises work, and will continue to disguise their malicious campaigns by using familiar brands. LinkedIn is clearly a brand that many users find irresistible to click upon when they receive what purports to be a connection invitation.
In my view it’s unrealistic to expect the average computer user to distinguish between genuine and bogus emails when they are professionally crafted. Although education can help protect your employees from malicious targeted attacks, it has to be combined with technology to lower the chances of a successful breach.