Last month we unpacked some of the security challenges facing human resources (HR). It isn’t just hackers trying to breach the network directly that is a problem in the world of HR today.
The other significant threat facing HR is hackers using fake social media and business networking profiles to gather trust. This is another social engineering tactic hackers rely on to gain access to private networks, obtain passwords and simply gain trust.
A major part of the art of human resources is getting yourself out there. That is why HR relies so heavily on using social networking services. Recruiters need to create a presence online that can help attract the best talent. Yet in the quest to data mine from security cleared professionals, some recruiters have found their public facing information lifted and used to create fake profiles.
Faux HR Profiles
There have been numerous reports of fake profiles that have been posted on networking services such as LinkedIn, where hackers have posed as recruiters.
These attacks don’t seem to actively attempt breaches of networks; rather it is part of a long term effort – akin to a “long con” – to create connection as a way to gain the information that could be used in later attacks.
“This has been going on for a few years, but has largely not been reported in the media,” explained Alan Webber, research director for IDC Government Insights’ National Security and Intelligence research program. “From what we know, it involved at least three contacts from another nation state that were connecting with people to gain trust, and later tried to get into some networks.”
This particular case, where those hackers created fake profiles for HR recruiters was unique because the individuals ended up in a vast number of executives’ connections. Because these individuals were in a network it wasn’t long before they managed to find other connections, and with that came that aforementioned level of trust.
“People see LinkedIn and similar services as simply a rolodex, but this is a pretty big deal because connections can be seen as endorsements and that creates unwarranted trust,” added Webber.
This is especially true as fake accounts aren’t really that hard to create in the first place, and once created the connections can come quickly.
“With 17 million profiles it is getting easier for hackers to blend in,” said Bob Baxley, chief engineer at security firm Bastille.
But, he has 500+ connections and 3,000 endorsements!
The concern then becomes that someone doing their due diligence to confirm the identity of a recruiter could see the connections, and that could make the profiles seem legitimate. Those looking for work and those who do recruiting need to be extra cautious of what a profile says. Just as a resume can be padded with misleading information, so can networking profiles, warn the experts.
In many cases a simple phone call or email would be all it takes.
“I’m pretty amazed at how little diligence is shown to basics like reference checks,” said Jim Purtilo,associate professor in the computer science department at the University of Maryland.”I enjoy a huge base of former students and research collaborators, and I provide references for many; still, the number of our alumni who turn up with new jobs without our ever having been contacted gives me pause.”