Is LinkedIn a Bad Idea for Employers?
On LinkedIn, users connect with colleagues, clients, and friends, providing information about their professional specialties in the hopes of generating business opportunities. Although that social networking site and others like it may help organizations and their employees build client rosters, they also provide crucial information to hackers who use it to prey upon an organization’s employees and fool them into downloading malware into their system. With the Google search of “at site: linkedin.com” and a company’s name, an attacker can view a list of public LinkedIn profiles of individuals working at the company, their positions, and potentially a list of their closest colleagues. An attacker who knows the email address formatting conventions within a company would in turn know the email address of many potential victims.
Consider this example. An attacker learns that two employees with an organization, Jonathan and Nate, are friends. The attacker might send Jonathan an email purporting to be from Nate. The text of the message might say, “Jonathan, I would love your thoughts on this power point I put together for my upcoming conference. Best, Nate.” If the attacker can persuade Jonathan to open the email, the attacker can gain power over that user to spread malware that could raid the employer’s digital treasure chests of valuable information.
Markus Jakobsson offers advice on how to combat this problem. Employers could insist that employees do not maintain public profiles of their social networking sites. They could educate employees about the tactics used by attackers. Better spam filtering would make it harder to reach the potential victims, and good antivirus protection from an established vendor that provides regular, reliable updates may effectively block many dangerous attachments.