#DTX2022: How to Scam Someone Using Social Media Phishing
In February 2022, Jake Moore, global cybersecurity consultant at European company ESET, took this literally and attempted to hack multiple employees of the same company, using only publicly available information, off-the-shelf tools and social engineering techniques. He shared his experience at DTX Europe on October 13, 2022.
Moore’s goal was to leverage LinkedIn, a professional social media platform with over 800 million users, 40% of whom access it daily. “The LinkedIn InMail messaging system gets four times more replies than a traditional email. I was wondering if I could use it for phishing,” he said.
Get the CEO’s password
He started creating and building a fake profile called “Jessica” without knowing what to use it for. “LinkedIn says they do a lot to make sure the profiles on their platform aren’t fake, but their algorithm is pretty bad at that. It’s basically looking for accounts that were created one after the other – not really what you did with them. If you create an account to look real by creating a history, posting, liking and connecting, you bypass all LinkedIn checks,” he added.
That’s what the cybersecurity consultant did – downloading a fake image from the site ThisPersonDoesNotExist, choosing a female-looking face to exploit some people’s tendency to use LinkedIn as a dating site, creating a fake background in the television industry, and taking a fake position on the British national broadcaster ITV.
“Within a month I had many interactions and people were very kind to me. She has more followers than me in about two months,” Moore recalled.
At this point, Moore didn’t have a goal: “I had this profile in my back pocket. I don’t know when, but I will use it one day,” he said.
He did so a few months later when a company CEO invited him to hack it and give a presentation at their next online event. “I didn’t want to attack the CEO directly because he knew I was going to hack him, so I sent his personal assistant a form asking for an interview for ITV, which she sent to him and I asked him to give me his Password.”
Hack the employees by flirting
Moore shared his experiences at the online event. After his presentation, the CISO of a major Bournemouth law firm asked Moore to use his fake female LinkedIn profile to try to do the same with her colleagues.
The CISO gave Moore a list of names and contacts from her company, and he began adding a few to LinkedIn. Then he decided to create an Instagram profile for Jessica. “After that, I got 65% of people accepting my request on LinkedIn and 80% on Instagram.”
He then turned Jessica’s TV background into a legal one to add credibility to her LinkedIn and Instagram requests.
Moore, aka Jessica, then messaged those connections, saying that she was looking for a job and found her company exciting, but that she was also looking elsewhere and wanted to know what “the vibe” was, Moore explained. “Three people added Jessica and responded very quickly,” he added.
The three, all men, began using flirtatious language. Using the situation to his advantage, Moore sent them a link to the job Jessica was supposed to apply for and asked for their opinion.
He messed around with them and sent them fake PDF and ZIP files which they all clicked on.
Suddenly, Moore realized that all three had blocked Jessica’s profile.
“Then I got a call from the company’s CISO. She asked me, “Are you Jessica and are you attacking us on LinkedIn?” I said it was me. She said, ‘Oh my god, what have they done? They told me they did something they shouldn’t have on their work computers.” That was the result I wanted!”
All three targets could have been hacked, but “at least they reported it to their CISO when they found out,” Moore said.
“The CISO then told me, ‘You made a crucial mistake: These three men sat in a row and all talked about the girl they were talking to.’ Who knows where it would have ended if I had targeted different people across the company.”