This content is the result of the same 'gang' of Nigerian criminals who favour KeyBase to steal sensitive credentials. I've observed these gangs (along with @techhelplist who finds a lot of the details included here) using Linkedin as a new platform to perform attempted financial fraud.
A large number of screenshots shared with me are as a the result of a misconfigured Keybase panel, there is a well known bug in Keybase which allows unauthenticated access to the /images/ directory to anyone who knows how to locate them. Palo Alto have listed a large number here
A percentage of determined sock puppets are using LinkedIn as a means at defrauding a significant number of business in following countries:
The sectors that are targeted include Real Estate, Investment & Law. This kind of fraud is complex in the sense it involves geographically displaced criminals to 'link up' to to be successful. The fraud is highly likely comitted from Nigeria (Thanks to @techhelplist again who helped ID the content and fraud gang) the concept is simple - Offering investment or seeking investment depending on the potential victim.
The belief that this fraudulent operation is from Nigeria is because of the evidence provided, this included active Facebook content and helpful photographs of places of work, and friends associated with the gang.
This below image is taken from a panel which shows our 'guy' logged into a Linkedin profile, and a large number of messages all with the same content.
Seeking investment or offering investment.
@malwarehunterteam do a great job on supplying a large number of samples to various malware, iSpy came to my attention recently and the codebase is almost identical to KeyBase with both employing the same stealing functions. I will post a more detailed article on iSpy when i get time.
The message above is pretty static and appears to be sent to a large number of potential victims. The method of communication varies across email providers, if you believe you've been approached by this gang, or have been part of the attempted fraud process please contact me, i can share a number of verified IOC's.
The below image is a cap from the /images/ directory which includes a conversation with the 'master' who shares the devices used to perform the initial reconnaissance. Pg.5 on this alludes to the hierarchy involved
In summary, this concept of attempted fraud by social networks should sufficiently deliver a message that nobody is who you believe they are, particularly when dealing with financial transactions.
FireEye produced a research article on the thriving economy on 'scammers' operating out of Nigeria. Pg.11 is of interest in the context of the content here.
Trust, but verify is a mantra that i preach. It's dissapointing that Linkedin does not have any method of formal verification for its users. There is no PGP or Keybase.io input required, even most DNM require some form of ID verification!
@thegrugq makes the point far more eloquently that i ever could. In short, the game of cyber security has changed, and the content in which you operate or call your working environment, is someone else's lunch.
Full slides here