After Facebook, Twitter and emails its now Linkedin's turn.
Many people from all over the world are exposing their lives on social networks which makes it much more easy for an hacker to collect the needed information in order to gain their trust and gain sensitive information. Once an hacker got this information, with social engineering, a target’s trust can be leveraged to extract personal information or deliver malicious payloads.
On September 15th, streaming service Vevo disclosed a massive data breach, to the tune of 3.12TB of sensitive internal data. The breach occurred after one of its employees was compromised via a LinkedIn phishing campaign, demonstrating again that social media is an incredibly effective vector for launching targeted attacks. Already this summer, attackers have successfully used similarly fake social accounts to persuade employees at oil and gas companies, a cybersecurity firm, and a government department to open malicious attachments designed to take control of victims’ devices.
The more information an attacker can glean about the victim’s family, hobbies, home address and personal connections, the better they can craft a unique spearphishing message. To boot, once the attacker has lifted the relevant information from the targets social media accounts during the reconnaissance phase, they can then launch the attack from directly within the social network by posting the payload to the user’s profile or sending it via direct message. It’s likely the Vevo attackers followed this exact attack workflow when distributing their attacks.