Old Methods, New Actors – 419-style Business Identity Theft Scams Hit LinkedIn
Recently LinkedIn has been flooded with malicious actors using fake accounts pretending to business individuals in legitimate institutions in order to engage in an interesting variant of “419”-style phishing attacks. The attackers will reach out to create new contacts over a period of time. The message will tell the intended victim that they wish to reach out to conduct business of some sort. Upon accepting the invitation to connect, the victim is then sent a message containing a throwaway email address intended for further discussion. It is interesting to note that identified samples have been targeted to specific industries, specifically to the financial / government verticals. The samples below claim to originate from someone in the US Army.
LinkedIn 419 Message from SGT JAMES LOPRESTI
Messages from individuals claiming to be from large international banks have also been observed.
Upon reaching out to the provided e-mail address of firstname.lastname@example.org, the victim will receive a response that is along the lines of the typical “419,” or advanced fee, scam. These types of e-mails have been hitting emails and physical mail addresses around the world for decades.
LinkedIn 419 Message Followup E-Mail from email@example.com
Background of 419 Scams
The term ‘419 scam’ is a slang that is adopted from the Nigerian Criminal Code, which criminalizes the advance fee of fraud scheme. Typically, a victim is led to believe they will earn a substantial sum of money for assisting the international transfer of a larger amount of funds from politically turbulent regions. There are variants of the scam, such as ones that take place on dating sites (aka the ‘419 dating scam’).
The technique has been prolific in Nigerian cybercrime culture for many years, and at one point was the country was a primary source of this scheme. However, the scam has never been limited to Nigeria alone. Malicious actors from Asia, Europe, and North America are also known to engage in this type of fraud.
For the last several years, information security professionals have theorized that it would only be a matter of time before malicious actors realized the advantages of targeting the identities of corporations and prominent business individuals as opposed to the identity of the average citizen. Attackers have been engaged in profiling high net worth individuals for some time for the purposes of extortion, stock fraud, bank wire theft, and similar capers. However, these attack scenarios often required a good deal of time invested research, targeting, and correct timing for an attack.
Why is this happening on LinkedIn?
In today’s interconnected world of social networks and the widespread assumption that a validated logged in digital identity is the same as the individual at the keyboard, the opportunities for mass fraud attacks has never been more promising. Whereas previous attack scenarios required extensive target research, the prolific migration of individuals from all walks of life into the world of the Internet for the purposes of conducting business has created an environment whereby simple methods of social network spamming and/or account compromise can be used to assume to complete identity. LinkedIn is a reputable social network for business use, and thereby is an attractive target to malicious actors.
Research business social network contacts before connecting with unknown individuals, and treat unsolicited incoming communications from your trusted contacts with some degree of caution as they may eventually be the victim of an account compromise. Furthermore, do not engage in additional communications with the malicious actor. Sure, it can be fun to troll the fraudster with all sorts of time/bandwidth wasting methods, but that just validates that your e-mail address is active and you will continue to continue to receive these scams letters.
Additionally, do not reuse your passwords. A single compromised account could be the keys to your kingdom if you do not use 2 factor authentication mechanisms.
The 419 Advance Fee fraud will continue to exist and evolve with the new communication methods that become readily adopted by mainstream populations. Awareness of the scam and simple personal security hygiene measures can reduce your attack surface area and the fraudster will continue to look for other prey.
419 Scam – A form of advancee fee fraud that arrives via e-mail. 419 is adopted from the Nigerian Criminal Code.
419 Dating Scam – A variant of advance fee fraud whereby the victim is duped into believing they are sending money to an overseas romantic partner.
Spear Phishing – Sending targeted malicious links or attachments to specific individuals within an institution.