The Cost of a Connection
Security Management, Megan Gates, February 1, 2019
Kevin Patrick Mallory served in the U.S. military, worked as a special agent for the U.S. State Department Diplomatic Security Service, and later as a CIA case officer–often stationed around the world to work with defense contractors and on U.S. Army active duty deployments.
He had a Top Secret security clearance and was fluent in Mandarin. He was also convicted of espionage for passing information to an agent of the People’s Republic of China (PRC).
How did Mallory and the agent initially connect? Via LinkedIn, when the operative—called Michael Yang—reached out to Mallory, posing as representative of a PRC think tank—the Shanghai Academy of Social Sciences—and requested to meet with him.
Mallory ended up traveling to Shanghai with eight classified documents, which he gave to Yang and his supervisor during a meeting. When Mallory returned to the United States, he was detained by U.S. Customs and Border Protection (CBP) for a secondary search and interview.
During the interview, Mallory claimed he had traveled to Shanghai for business and met with an individual he knew through his church to consult on anti-bullying and family safety development. He also checked on a form from CBP that he was not carrying more than $10,000 in U.S. or foreign currency.
Upon a search of his belongings, however, CBP found $16,000 in Mallory’s carry-on bags. The FBI later interviewed Mallory, who told agents that he had been contacted on social media by a Chinese recruiter, had phone interviews with that recruiter’s client, and traveled to Shanghai on two occasions to meet with the recruiter’s boss.
Mallory was ultimately arrested, charged, and convicted of conspiracy to deliver, attempted delivery, delivery of defense information to aid a foreign government, and making material false statements.
“This trial highlights a serious threat to U.S. national security,” Nancy McNamara, the FBI’s assistant director in charge of the Washington Field Office, said in a statement. “Foreign intelligence agents are targeting former U.S. government security clearance holders in order to recruit them and steal our secrets.”
U.S. Director of the National Counterintelligence and Security Center William Evanina went on record in the summer of 2018 to discuss what he—and the U.S. intelligence community—had been seeing on LinkedIn.
In an interview with Reuters, Evanina explained that China was conducting a campaign to target thousands of LinkedIn members at a time to recruit Americans with access to government and commercial secrets.
Evanina declined to say how many of these recruitment accounts U.S. intelligence had discovered or how much success China has had in using them.
While individuals and organizations have been using social media to target users for government secrets or corporate intellectual property, LinkedIn is especially attractive for social engineering, says James Carnall, vice president, customer support group, at LookingGlass Cyber Solutions.
“When you look at what the levers are for social engineering, you’re either appealing to authority, emotions, or logic,” he explains. “This platform appeals to a lot of that in an emotional way. We want to connect to our boss because we want to feel important. When we talk about community, we want to collect people and be seen as smart and clever.”
Nefarious actors can use LinkedIn for a honeypot attack, like they might use a dating site, to appeal to that feeling of being appreciated and wanting to connect with someone to obtain information about their business or level of access.
This is a tactic that Don Aviv, CPP, PCI, PSP, president at Interfor International—an investigation and corporate intelligence firm—says he sees others using against his corporate clients.
“When you break it down to its bare bones, utilizing LinkedIn is another attempt at using social media to engineer an attempt at fraud, theft of proprietary information, whatever the company does for a living,” Aviv says. “We work for Fortune 500 companies that have been hit by these attacks…and the goal is to figure out who is reaching out and why.”
Besides espionage, one of the most prevalent reasons malicious actors are targeting individuals on LinkedIn is to find out more information about a company’s financial protocols and procedures so they can carry out CEO or CFO spoofing attacks.
For instance, a fraudster might look to connect with various individuals in a company’s finance department to learn who is responsible for initiating wire transfers and when that individual might be traveling.
Aviv himself set up a test to teach Interfor employees and clients how this works. He created a fake profile for himself on LinkedIn, connected with other individuals, and shared his travel plans on the account.
Shortly after Aviv left on his fake trip, a fraudster sent an angry email that appeared to come from Aviv to Interfor’s finance director. The email had information about the company’s vendors, contained an invoice requesting payment, and contained a modified wire transfer code to use for the transaction.
Aviv says he sees roughly six or seven requests per month from companies that received similar emails and are looking to find out who is perpetuating the fraud and how to prevent it.
This type of fraud is also more prevalent in the Asia and Pacific regions, as opposed to the United States and Europe, where Aviv said there is more awareness of CEO and CFO spoofing.
“It has become much more publicized—a lot of the compliance departments are catching on,” Aviv says. “In Asia, there’s a demographic difference. A lower-level employee will be much more reluctant to not follow that transaction order.”
Security Management reached out to LinkedIn to discuss the matter, but the company declined an interview. Instead, spokesperson Anne Trapasso sent over three blog posts by the company on cultivating trust, fake account detection, and reporting spam, inappropriate posts, and abusive content.
“When you’re on LinkedIn, you want to know that you’re talking to real people, you feel safe, and you’re engaging with professionally relevant content,” wrote Madhu Gupta, director of product management, trust, and security for LinkedIn in a post after Evanina’s statements. “One of the most important ways we do this is by empowering you to control your LinkedIn experience. From deciding whether to accept a connection request to displaying contact information on your profile, you control your interactions on LinkedIn.”
This control includes deciding how to present yourself on LinkedIn—the content of your profile, posts you make, and who can see this information is visible—and vetting your community of connections, Gupta explained.
“Examples of these features include filters for who you can receive messages from and invitation controls that allow you to accept, deny, or ignore a connection request,” she wrote.
Mark Folmer, CPP, vice president, security industry, TrackTik, is a robust social media and LinkedIn user who joined the network roughly 10 years ago.
He does not share a lot of personal information in his profile but does have his phone number and main business email posted. Folmer also regularly receives what he would call “fishy” connection requests from other LinkedIn users.
“It happens all the time—the standard no personalized message, just an invite from x, y, or z, with one connection or no connections in common,” Folmer says.
Other signs that a profile might be fake are connection requests from someone based in a country TrackTik does not do business in, an incomplete profile, titles that do not seem to line up with the general business market, or someone whose employment record jumps around.
“If it’s too good to be true, someone who sounds like they would be the perfect connection—why are they writing to me from Romania?” Folmer says. “Why are they interested in connecting with me?”
Instead, Folmer says he will likely connect with those who are in the same industry, have connections in common, are ASIS International members, or include a personalized message in their connection request.
“When I reach out to someone—especially someone I haven’t met yet—I try to put some context into the invite, such as, ‘Hey these are the people we have in common, certification, or I’ve seen you write about this and I’d like to meet,” Folmer explains. “It’s my way of saying I’m a real person and I’m not going to sell you something or try to skim something off of you.”
These are good rules to follow, and both Carnall and Aviv say employers should discuss best practices for LinkedIn hygiene with employees to help prevent them—and the company—from being targeted by malicious actors.
For example, Carnall suggests creating guidelines that prohibit discussing secret projects on social media or posting about budgetary amounts.
“Looking from a criminal perspective, that provides too much information for people to socially engineer,” he says.
And if an employee is posting information online that could make the company vulnerable, Carnall says security and human resources should speak with the employee to use it as a teaching moment.
“HR should incorporate a conversation about social media as part of any onboarding for any new employee,” he adds. “It’s important for the organization to work with the employee; there’s a balance of promoting themselves as an individual to be proud of themselves and advertise to others the work they and the company are doing.”
LinkedIn has a process for reporting suspicious activity and fake user accounts, which Carnall says works well if you are able to establish that a malicious user is posing as a real user.
He also recommends that visible people, such as executives, create legitimate accounts on social media services in their own name to claim that name and “because it’s much easier to have a site take action” if you are a user.
And approach all connection requests with a certain level of skepticism, Aviv says.
“Look at their profile and ask why they are reaching out to you—and be willing to ask them via the message function,” he adds. “When you challenge it, they may go away. And the people who talk to you, you’ll be able to figure out if they’re up to no good.”