Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Iranian Attackers Use Fake LinkedIn Profiles to Target Victims

A threat group believed to be operating out of Iran has created a network of fake LinkedIn profiles as part of a campaign aimed at individuals in the Middle East and elsewhere, Dell’s SecureWorks Counter Threat Unit reported on Wednesday.

A threat group believed to be operating out of Iran has created a network of fake LinkedIn profiles as part of a campaign aimed at individuals in the Middle East and elsewhere, Dell’s SecureWorks Counter Threat Unit reported on Wednesday.

The attackers, dubbed “Threat Group-2889” or “TG-2889,” appear to be the Iranian-sponsored hackers whose activities were documented by endpoint security company Cylance in a December 2014 report focusing on a campaign called “Operation Cleaver.”

The group behind Operation Cleaver has been active since at least 2012 and it has targeted more than 50 companies across 16 countries, including organizations in the military, government, oil and gas, energy and utilities, chemical, transportation, healthcare, education, telecommunications, technology, aerospace, and defense sectors.

Researchers at Dell SecureWorks said they haven’t found any evidence to contradict Cylance’s assessment that the threat actor is at least partly operating out of Iran.

Dell SecureWorks’ investigation focuses on a network of fake LinkedIn profiles that appear to be used to target more than 200 individuals located in countries such as Saudi Arabia, Qatar, the United Arab Emirates, Pakistan, the United States, Sudan, India, Jordan and Kuwait.

“A quarter of the targets work in the telecommunications vertical; Middle Eastern and North African mobile telephony suppliers feature heavily. A focus on these types of targets may indicate that TG-2889 is interested in acquiring data held by these organizations or gaining access to the services they operate. A significant minority of identified targets work for Middle Eastern governments and for defense organizations based in the Middle East and South Asia,” Dell SecureWorks threat intelligence experts said.

Using pictures and information copied from various locations on the Web, the attackers created at least 25 LinkedIn profiles, eight of which are what researchers call “leader personas” whose profiles are well designed and have hundreds of connections. Leader persona profiles include education history, job descriptions, and occasionally even vocational qualifications and LinkedIn group memberships, with some of the information copied from legitimate profiles.

Five of the leader personas analyzed by researchers claim to work for American industrial conglomerate Teledyne Technologies, one claims to work at South Korean industrial conglomerate Doosan, one for US-based aerospace and defense firm Northrop Grumman, and one at a Kuwait-based petrochemical manufacturing company Petrochemical Industries.

Advertisement. Scroll to continue reading.

The other fake LinkedIn accounts are used as supporting personas, which are less developed and only have a handful of connections. Experts believe that the main purpose of supporting personas is to endorse the leader profiles on LinkedIn in an effort to make them seem more legitimate.

By creating LinkedIn personas that appear to be established and genuine, the attackers can identify and study their victims. Since some of the profiles are made to look like they belong to recruitment consultants, the malicious actors also have a pretext for contacting targeted individuals.

Since TG-2889 likely leverages spear phishing or malicious websites to hack victims, establishing a trust relationship with the target increases their chances of success, Dell SecureWorks explained.

While monitoring the leader profiles, researchers noticed that two of them had been given new identities, with both the photograph and current job being changed.

“Changing personas associated with existing profiles was a clever exploitation of LinkedIn functionality because the new identities inherit the network and endorsements from the previous identity. These attributes immediately make the new personas appear established and credible, and the transition may prevent the original personas from being overexposed,” experts said.

This is not the first time Iranian threat actors have used fake social media profiles in their operations. In May 2014, cyber intelligence company iSIGHT Partners analyzed a campaign in which attackers had used over a dozen fake personas on various social networking websites.

Last month, the security community was warned about a series of fake recruiter profiles on LinkedIn that appeared to be targeting infosec specialists.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybercrime

While there are likely many different approaches, here are a few points that are important for enterprises to consider when evaluating bot solutions.