Description

We all know how vital it is to keep our data secure and one of the key features of Jobscribe is that we enable you to control who sees your detailed data. However, have you considered where else your data could be leaking during your search for a new job?

In this guest blog, Steve Williams from LNDSR talks about some of the risks of oversharing.

The covid lockdown has given everyone a chance to rethink their lives, work and that home life balance.

The opportunity to work from home has been a great advantage for many people, giving them the freedom and flexibility they didn't have before. While some companies are looking to keep home working in place, others are planning for the return of staff to offices. Working from home is not for everyone; some people miss the face-to-face interaction with colleagues and the hustle and bustle of the workplace.

When writing a CV or a bio about ourselves we aim to give the best possible impression, showcasing our talents and experience. We want to show our relevance in the markets we work in and also in new markets we want to move into. As we do this, we find it is important to list and reference companies we have worked at before and projects we have been involved in; as well as our current experience and what you are doing right now. In the areas of finance for example, it would not be out of place to show you have experience in numerous financial systems, day to day activities, the responsibilities you have - both staff and technical and perhaps also some of the more unique products you use if you were targeting more specialised roles. 

This works brilliantly. Recruiters love that and it demonstrates your capabilities/knowledge together with hands-on skills in your market. You also want to put yourself out there…

LinkedIn is clearly the go-to place for professional representation amongst industry peers, availing yourself to get recommendations and endorsements in your field. So, once you take the best components of your CV and add these into your LinkedIn profile - you have created a great index for cyber criminals to scrape - you have just "told them" what finance systems are used in your company, what duties you perform for the company and with a little digging about, who the other people in your dept are, along with bosses and other peers.

All of the information you provide in your professional profiles, is a valuable and also saleable asset for cyber criminals.

Here is how it is currently being used to attack you and your company right now:

Cyber criminals routinely scrape the publicly viewable profiles of all major social & professional networks and forums for data they can use in Phishing & Spear-Phishing attacks. Casual phishing attacks consist of the type of spam email you see with a title of "You've been tagged in a picture" or "Outstanding Invoice" which contains a web link or maybe a MS Word attachment. Needless to say, clicking on either of those items will open up malicious content ensuring you have a bad day. 

Spear-Phishing on the other hand is a very specific, calculated, targeted attack. Delivered in much the same way, (email is a fantastically effective tool for threat actors and cyber criminals); the attacker will craft and send messages aimed at attracting your interaction. A form of this is known as Business Email Compromise (BEC). This is where attackers attempt to penetrate a company’s IT defences and "hack" you instead. Attackers only have two ways of getting into a corporate network; they either hack the systems or they hack you. BEC is the attacker hacking you. 

Whilst BEC has many playbooks and techniques, money is almost always the immediate goal for any attackers. They will pick a target company and perform reconnaissance - what systems do they use, what vulnerabilities exist on those systems, who works in the finance dept, who are the managers, directors, middle management and junior staff. Who has access to the banking systems, the ability to process payment transfers and change customer records. They can get all this data from open LinkedIn profiles. During their recon phase they will have ascertained the format of the company email accounts (first name / last name, first initial dot last name etc), after finding your profile with your full name, they can now determine your work email address. Reading your profile they have identified you as someone who has access to the corporate banking systems or ability to process invoice payments/financial transfers. If you work from home or diligently work out of hours away from the office - you are in their sights.

The initial contact will usually occur late afternoon/early evening, hoping you will receive the opening email on a mobile phone. The email will mostly be short, to the point, pretending to be from your director or your bosses’ boss - someone suitably superior to you that you would not usually question and also who you would be keen to make a good impression for, by doing them a "favour" or correcting an issue that seems to have gone wrong. They will ask you if you are still online and have access to the payment systems, whether you have seen the payment request that somebody supposedly made earlier and hasn't been processed - asking you to resolve it by making a transfer to detail in an invoice or purchase order they will send you. 

This process is never done in a single email, but over two or three forming some form of connection/conversation making you more at ease and compliant. The reasons these attacks are sent out of hours is that the email address they will be using will either be similar in one form or another to the company name/format or appear to be from the directors personal mail account. The key here is that when you receive emails on you mobile, you only see the crafted sender name - not the full email address which if you saw it would lead you to be more suspicious.

Aside from BEC, understanding the technical infrastructure of on organisation before attacking it is a pretty big deal for cyber criminals. If an organisation is being targeted, the attackers will do some deep recon to understand the technologies in play together with the weaknesses they are likely to find. As we saw above where the finance dept are mapped out and subjected to attack - the same is also the case for worked in IT departments. Software development teams, desktop support & admin teams are attractive assets to capture. Taking control of user accounts with high levels of access can save the criminals a lot of time and help advance the extent of attacks greatly - but are also generally harder to obtain due to the staff in these areas mostly more aware of phishing emails and being more technically aware. Mostly!

It is more than fair to say that when it comes to unwittingly revealing details of a company’s internal computing infrastructure, scraping LinkedIn profiles of IT/technical staff will almost definitely provide bigger pay offs with the least amount of effort.

As competition for IT jobs is as fierce as ever, candidates have to make themselves attractive to potential recruiters in order to stand out from the crowd. Detailing their systems/platform, project and migration experience is just as important as their certifications. This is a data leak gap that just cannot be plugged by any internal company security systems.

As we saw recently, when over 700 million LinkedIn accounts were the victim of data scraping[1], the risk is very real and help is not very forth coming. LinkedIn responded saying that it was nothing to do with them - simply, the user overshared and made it public; it's all their own fault.

A simple reminder when building your professional profiles. When you share details of your current company or employer - consider what can be seen publicly without connecting to you and be vigilant. The more personal that phishing mails you receive begin to look to you, could well be because the sender knows a lot more about you than you realise.

---------

[1] PrivacySharks

Steve is a cyber security expert and is CSO at LNDSR.