Skip navigation

LinkedIn "LIONs" Are an Easy Target for Criminals

When criminals want to spam or spear phish, finding targets that willingly give up details about themselves to strangers is a good place to start. With social networking enabling the exchange of personal information quicker than ever, it's not a shock that sometimes an opportunity to connect trumps online security practices.

LinkedIn LION Comment Thread

Looking at my LinkedIn feed one day, I noticed a rare instance of someone posting their e-mail address on a public thread. While I thought that to be pretty odd, what really shocked me was when I noticed there were around 10,000 comments on that same thread, many of which were also e-mail addresses.

It turns out that this was a thread for LinkedIn Open Networker (LION) participants. As the name implies, these people are on LinkedIn to expand their connections as far as possible and not merely under the typical circumstance of having a personal or professional relationship with each of their contacts.

Framing the Concern

The web site Bank Info Security summarizes the context of the risk posing these LION participants rather simply from details gleaned out of an FBI report:

In its release, the FBI points out that these attacks also are targeting consumers, by relying on personal information collected about these users from public posts on social media sites and blogs, as well as with data collected from other breaches, to make the fraudulent e-mails appear legitimate.

The willingness to expose personally identifiable information for the hope of expanding opportunities is a concerning trait to have. This same mindset often overlaps with people that could be prime victims of a targeted phishing attack.

Imagine if an attacker were to spoof a LION signup form that asked for a password to gain access to an extended network of a hundred thousand other LIONs. Due to the common practice of password reuse, at least a few hundred of these same people would likely give you the keys to their personal kingdom for the chance at such an opportunity.

Assessing Exposure

LION Domain Piechart With so many pages of comments on the thread, I decided to quickly loop through LinkedIn's pagination to ensure I was able to scrape the entries and determine just how much of a treasure trove of names, pictures, and emails were in this list. After a couple runs of different pagination sizes (just to ensure results were accurate) I was able to filter out 3,034 unique, well-formatted e-mail addresses from the nearly 10,000 comments.

Of the e-mails found, a surprising number were from personal providers such as Google, Microsoft, and Yahoo. Had I not sorted the results out, I would have definitely guessed they would have been professional accounts at unique domains. This usage of personal accounts may lead to greater success by attackers because of reduced focus on phishing and spam filtering. At larger organizations, more vigilance is often put on preventing targeted attacks against employees.

Don't Fall Into a Trap

It's easy to see the reason the LION "movement" exists. The promise of having a huge network of people could lead to a future opportunity. Keep in mind, though, if you really wanted to connect with someone for an opportunity, you're much more likely to succeed by reaching out personally and connecting for real. A wide social network for professional reasons means little when you don't actually know your contacts.

It’s also worth noting that anyone collecting thousands of e-mails without a direct example of how they might help you could also be using your e-mail in questionable ways, such as selling your details as a sales lead to organizations or otherwise.

There are definitely various types of targets out there and for a criminal, people willing to share their e-mail to the world for the hope of a networking opportunity are probably some of the most "qualified" targets available.

Mark Stanislav

Security Evangelist

@markstanislav

Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken internationally at over 75 events including including RSA, DEF CON, ShmooCon, SOURCE Boston, and THOTCON. He earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University.