An ongoing social engineering campaign targeting LinkedIn users has been using the “professional” social network to popularise a specific dating site but, according to Websense researchers, the final aim of the campaign is likely more sinister.
The attackers have created a fake LinkedIn account under the name Jessica Reinsch, which currently has over 400 connections, and is used both to view the profiles of potential targets and to lead them to the aforementioned dating site (“For younger ladies and mature gentlemen”):
“Search features within the social network provide an easy way for scammers and legitimate LinkedIn users to zoom in on their target audience,” the researchers point out. “Whether you are a recruiter looking for potential candidates, a dating scammer looking for "mature gentlemen", or an advanced attacker looking for high-profile directors within particular industry sectors, LinkedIn users have access to tools to help refine their search.”
In order to do this more effectively, the scammers made sure to make the account in question a Premium Account, which allows them to search for users based on their job function, seniority level and company size - all information that can come in handy for future social engineering attacks.
“Note that features of the Premium Account also facilitate a greater degree of interaction with targets. Should a target view the scam profile, the scammer can then see that, for all views. The scammer could also contact any LinkedIn member and search across a greater number of profiles,” the researchers add.
The researchers believe that the scammers are using the dating site as a lure. They pointed out that the site does not currently sport any malicious code, but that its IP address has been previously linked to domains that did, as well as to a Autonomous System Number (ASN) that, at one time, included C&C URLs for a number of exploit kits.
All this seems to indicate that the campaign is far from innocuous, and that this is probably just the malicious scheme’s “reconnaissance” phase. Just in case, the researchers have reported the profile to LinkedIn.