Please add me to your #Linkedin sockpuppet network!

Linkedin has approximately 414m active users of which, a part are completely fake. This practise has been observed in the past with fake recruiters targeting researchers. 

This content is the result of the same 'gang' of Nigerian criminals who favour KeyBase to steal sensitive credentials. I've observed these gangs (along with @techhelplist who finds a lot of the details included here) using Linkedin as a new platform to perform attempted financial fraud.

A large number of screenshots shared with me are as a the result of a misconfigured Keybase panel, there is a well known bug in Keybase which allows unauthenticated access to the /images/ directory to anyone who knows how to locate them. Palo Alto have listed a large number here

A percentage of determined sock puppets are using LinkedIn as a means at defrauding a significant number of business in following countries:

  • UAE
  • US
  • UK

Figures are created as a result of the companies targeted in the panel images

 

The sectors that are targeted include Real Estate, Investment & Law. This kind of fraud is complex in the sense it involves geographically displaced criminals to 'link up' to to be successful. The fraud is highly likely comitted from Nigeria (Thanks to @techhelplist again who helped ID the content and fraud gang) the concept is simple - Offering investment or seeking investment depending on the potential victim.

The belief that this  fraudulent operation is from Nigeria is because of the evidence provided, this included active Facebook content and helpful photographs of places of work, and friends associated with the gang.

This below image is taken from a panel which shows our 'guy' logged into a Linkedin profile, and a large number of messages all with the same content.

Seeking investment or offering investment.

@malwarehunterteam do a great job on supplying a large number of samples to various malware, iSpy came to my attention recently and the codebase is almost identical to KeyBase with both employing the same stealing functions. I will post a more detailed article on iSpy when i get time.

Reconnaissance message

We offer secured loand or funds to individuals and companies at low interest rates. we offer long and short terms loans or funding of any projects. Our firm has a recored a lot of breakthroughs in the provision of first-class financial services to our clients.
— Akeem

The message above is pretty static and appears to be sent to a large number of potential victims. The method of communication varies across email providers, if you believe you've been approached by this gang, or have been part of the attempted fraud process please contact me, i can share a number of verified IOC's.

The below image is a cap from the /images/ directory which includes a conversation with the 'master' who shares the devices used to perform the initial reconnaissance. Pg.5 on this alludes to the hierarchy involved

In summary, this concept of attempted fraud by social networks should sufficiently deliver a message that nobody is who you believe they are, particularly when dealing with financial transactions.

FireEye produced a research article on the thriving economy on 'scammers' operating out of Nigeria.  Pg.11 is of interest in the context of the content here.

The scammers use a variety of tools for distributing these exploits
and keyloggers, such as email extractors, email notifiers, bulk
mailing providers, and VPN/proxy providers. The email extractors
help scammers scrape email addresses of potential targets from
various sites which are fed to bulk mailing applications. They use
proxy providers as a precaution when logging into their victims’
accounts to hide their IP addresses. They also use email notifiers
to monitor incoming emails.
— https://www2.fireeye.com/rs/848-DID-242/images/rpt_nigerian-scammers.pdf

Trust, but verify is a mantra that i preach. It's dissapointing that Linkedin does not have any method of formal verification for its users. There is no PGP or Keybase.io input required, even most DNM require some form of ID verification!

@thegrugq makes the point far more eloquently that i ever could. In short, the game of cyber security has changed, and the content in which you operate or call your working environment, is someone else's lunch.

Full slides here