Is Your LinkedIn Profile at Risk?

The proliferation of malware and other cyber-threats is exceeded only the ingenuity of those perpetrating the crimes. Today, it seems as though no product, service or solution is safe.

The latest worry? Cyber-threat groups, reportedly based in Iran, have created an extensive network of fake but convincingly real LinkedIn profiles.

The Dell SecureWorks research team, known as CTU, published a report outlining the risk, along with the methods that cyber-crooks are employing. This cyber-threat group, dubbed “Threat Group 2889,” is reportedly using LinkedIn to conduct cyber-espionage. They are creating fake profiles, some of which appear to be recruiters for international companies.

Researchers say the fake network was created to help the threat actors target potential victims through social engineering. When analyzing the legitimate LinkedIn accounts associated with the fake accounts, the CTU found that there were 204 legitimate LinkedIn accounts affected—most belonging to employees in the Middle East, North Africa and South Asia, Europe and the United States.

Here are some of the key questions and answers included in the report:

Who’s behind the cyber-threat?

The CTU believes TG-2889 is the same threat group that security firm Cylance calls the Operation CLEAVER team. Cylance documented this group in December 2014.

Who was targeted?

The majority of the legitimate LinkedIn users (the suspected targets), work in the telecommunications, government and defense sectors, and many are located in the Middle East and North Africa.

“Validated identity on the Internet is a rare thing. Executives should be aware that adversaries will leverage social media platforms to engineer conversations with targets,” notes Don Smith, director of technology at Dell SecureWorks.

What’s the Goal?

Seemingly genuine, established LinkedIn personas help TG-2889 identify and research potential victims. The group establishes a relationship with targets by contacting them directly, or by contacting one of the target’s connections.

“In the case of social networks, validating a connection through existing contacts isn’t good enough. You should not accept connections from people that you don’t know,” Smith warns.

What is the attack method?

Cyber-thieves use TinyZbotmalware (a password stealer, keystroke logger, multifunctional Trojan) and disguise it as a résumé application.

What domains do these hackers use?

According to Cylance, the CLEAVER team used the following domains:; and

Where are these domains located?

Numerous domains used in the CLEAVER campaign were registered in Iran. Moreover, Persian hacker names were used throughout the Operation CLEAVER campaign.

What other evidence exists that the profiles are fake?

One profile photograph appears on numerous Websites, including adult sites, and it is linked to multiple identities. In addition, one profile’s “summary” is identical to that of a legitimate LinkedIn profile.

Is there a continuing threat?

Yes. It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. “While it is difficult to estimate the size of the threat, it’s clear that this is a technique that works,” Smith reports.

Is it possible to protect against this threat?

Yes. Here are some suggestions:

Avoid contact with known fake personas.

Connect only to personas belonging to individuals you know and trust.

Use caution when engaging with members of your colleagues’ and friends’ networks that have not been verified outside of LinkedIn.

When contacted within LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual’s purported employer.

In the end, CTU noted that organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites. If an organization discovers that a LinkedIn persona is fraudulently claiming an association with the company, it should contact LinkedIn immediately.

Finally, on an individual level, Smith says it’s important to display a “healthy distrust of contacts from people you don’t know physically.”