A group of suspected Iran-based hackers called TG-2889 have created a network of fake LinkedIn profiles, according to security researchers at Dell.
The 25 fake LinkedIn accounts are fully fleshed profiles, with regularly updated pictures, job descriptions and endorsements. Some of the profiles have repeatedly changed names and descriptions, allowing them to maintain old connections while pursuing new ones, and several have copied over details directly from legitimate profiles.
Even more alarming, many of the imposters claim to work at major corporations such as Northrop Grumman and Airbus, and several of them work as “recruitment consultants” — giving them cover to directly contact users.
“CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.”
The fake accounts are split into “leaders” and “supporters”, with the less fleshed-out supporter accounts largely acting to provide legitimacy to the primary accounts.
Between them, the profiles have racked up hundreds of connections with real people, and they seem to be very targeted. More than a quarter of the connections are with people who work in telecommunications, especially in the Middle East and North Africa. Another significant segment are people who work for governments and defense organisations in the Middle East and South Asia.
Dell have highlighted 204 potential targets. Most are in the Middle East, but they are spread all across the globe. The concentration of the targets in specific industries, combined with the corporations the fake profiles claim to work for (largely defense contractors and industrial organisations) lead the researchers to believe the campaign is against the aerospace industry. The countries targeted make them believe it originates from Iran.
It is likely that not all of the fake profiles have been identified, and this isn’t the only such campaign being conducted. So, for the rest of us, the researchers have these recommendations:
- Avoid contact with known fake personas.
- Only connect to personas belonging to individuals they know and trust.
- Adopt a position of sensible caution when engaging with members of colleagues’ or friends’ networks that they have not verified outside of LinkedIn.
- When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual’s purported employer.