“419 scams” revived on LinkedIn – old phishing bait in new pond

Unsuspecting users of professionals-oriented social networking site LinkedIn are being conned by scam artists into revealing personal financial information, say security experts.

Advanced fee fraud – also known as “419 scams” after the relevant section of the Nigerian penal code – are well-known to most e-mail users.

The fraudster poses as a foreigner that has lucked into millions, but needs help to keep their money secure (one fraudster even pretended to be an African astronaut aboard the International Space Station).

As soon as someone is naïve enough to share their bank account information, they find that money is withdrawn from their account – not deposited, as promised.

Stymied by corporate e-mail filters, but buoyed by the trust that users are giving social networking sites, scammers are trying their old tricks again but this time using new channels, according to Graham Cluley, senior technology consultant at Abingdon, U.K.-based security vendor Sophos plc.

“Now they’re trying their scam with a network used by businesspeople,” he says. “By using this mechanism, the criminals know they’re talking to people who aren’t 13-year-olds, but people with money in their pockets.”

Cluley shares one example of the phishing attack he received on LinkedIn.

A user named Natasha Kone claims to be a 22-year-old woman from the Ivory Coast. Her message goes through the usual scam-artist routine of describing the $6.5 million inheritance left to her by a deceased father, and why she’s looking for a foreign partner to help secure the money.

It’s a ploy most people would dismiss out of hand.

“The problem is that common sense isn’t very common,” Cluely says. Sophos knows of many examples of normally astute individuals suckered in by nicely formatted e-mails, and some have lost dollar sums in the millions.

Social networking sites are now the top phishing target, according to the most recent Internet Security Threat Report from Symantec Corp.

The sites are the source of the most phishing attacks in the top three countries where phishing is most prevalent – the U.S., China, and Romania.

Overall, phishing messages went up by five per cent in the second half of 2007. There were a total of 207,547 unique messages identified – that’s 1,134 different messages for each day in that six-month period.

Scammers are enjoying the trust that social networking users tend to give to the Web sites. Users feel a false sense of security due to being connected to a network of their peers.

“[Careless] users are accepting friend and network requests from people they don’t even know,” says David Senf, director of research for Canadian security at Toronto-based IDC Canada. “The trouble is no one wants to be rude.”

But workers should be more stringent about who they add to their friends list, experts say. There’s no guarantee the person you’re adding isn’t an Internet impersonator. Once a scammer is on your friend’s list, you’ve given them an open route to repeated attempts at nabbing your sensitive information.

One simple measure LinkedIn users can take is to only accept invitations from people who at least know your e-mail address, Cluley says.

It’s an option that can be simply turned on.

“It’s just an extra little bit of effort that most criminals will not take,” he says. “They can’t just willy-nilly spam everyone on LinkedIn.”

LinkedIn’s user conduct agreement states that misrepresenting your identity on the network is a breach. So is the use of invitations to send messages to people you don’t know.

ITBusiness.ca requested an interview with a LinkedIn spokesperson, but there was no response at the time of publication.
One security expert said businesses can’t take it for granted that LinkedIn will delete the accounts of all the bad guys out there.

For this reason, there should be a policy in place to address how employees use social networks, according to Jim Lippard, director of information security at Florham Park, N.J.-based IP network provider Global Crossing Ltd.

“Advise employees not to put the company’s proprietary information onto their profiles,” he says. “Just be aware the information can be read by anyone.”

Even users who consider themselves careful about who they add as friends have to be careful, Lippard adds. Social networks are made more unsafe for everyone by those who accept every connection put forward to them.

Staff recruiters at large corporations often have large friend lists, for example. The presidential candidates in the U.S. election also have profiles and will accept anyone as a friend to build their popularity showcase, the security expert says.

“They’re operating their profiles like a MySpace bands page,” Lippard says. “Once you have an indiscriminate group of people doing this, that means there are more unsecure links closer to all users.”

For now, one fraudster’s identity has been removed from LinkedIn. Natasha Kone has been deleted from the social network’s database. But there’s no telling how much damage the scammer has already done.

“I’m sure the only person who really knows is the one lurking behind the identity of Natasha Kone,” Cluley says.

Share on LinkedIn Share with Google+
More Articles