LinkedIn’s newest feature, ‘LinkedIn Stories,’ could be the ‘low hanging fruit’ cyberthreat actors need to exploit critical infrastructures. The caliber of individuals with an active presence on the corporate social media platform could make the exploitation of ‘LinkedIn Stories’ very tragic, especially during the COVID-19 remote work culture. For organizations with remote workers, who possess poor cybersecurity hygiene, the ‘LinkedIn Stories’ feature could prove lethal.
Have you ever wondered what landmarks are adjacent to your CEO’s home? What about the network architectural layout powering the networking devices within the home of your Director of Human Resources? Ofcourse, such intelligence probably means nothing to the average person. However, to a state-sponsored Advanced Persistent Threat (APT) actor, said intelligence is a goldmine because it helps to streamline the first step of the attack chain – reconnaissance.
Thanks to a brand new feature from the digital ‘rolodex’ of the corporate world, LinkedIn, members of the Maze ransomware gang could easily engineer an extremely targeted spear-phishing campaign relating to the make and model of the IoT-enabled thermostat in your CEO’s home.
How is that remotely possible? Well, your CEO’s poor cybersecurity hygiene while using LinkedIn Stories (unknowingly) created a path of least resistance, which could cost your organization $100,000 in ransom payments.
World, meet LinkedIn Stories.
LinkedIn Stories, meet ‘accidental’ operational security (OpSec) blunders in near real time.
LinkedIn as a Soft Target For APT Actors
Professional social media sites, like LinkedIn, provide immense value to individuals and organizations alike. LinkedIn is where most top decision makers from Fortune 500 companies spend their down time, as such it has helped millions of users land dream jobs and connected innovators with seed investors.
Hence, this makes LinkedIn a ‘target-pond’ environment, viewed as a one-stop shop by advanced threat actors looking to leverage the weak security hygiene of executives, employees, and entire organizations. In fact, historical data have shown that LinkedIn has been used as a launching pad to implement malicious campaigns, including misinformation.
User Operations Security (OpSec) Challenges With The ‘LinkedIn Stories’ Feature
Malicious actors love taking the path of least resistance when exploiting ‘low hanging fruits,’ and social media sites are perfect surfaces for extracting valuable information often used in cyberattacks.
Although the ‘LinkedIn Stories’ feature is merely a few weeks old, many users have already exposed sensitive corporate and personal information. For instance:
- Employees showing off their Work-From-Home setup, meanwhile unknowingly exposing corporate email threads and other privileged data.
- Videos or photographs revealing SoHo IT network infrastructures, including network routing and communication topologies.
- Trackable landmarks featured in a user’s LinkedIn Story, which give malicious actors a good idea of your neighborhood for nefarious activities.
Therefore, industry professionals who intend to use the new ‘LinkedIn Stories’ feature should evaluate it in conjunction with the other existing vulnerabilities and/or loopholes native to the platform.
Preventing Data Spillage While Using ‘LinkedIn Stories’
The LinkedIn Stories are an exciting new feature to pitch your profile in a visual and more engaging manner but it also comes with its own risks from a cybersecurity perspective, data spillage being the most critical among them. Healthy security hygiene must be maintained at all times while using such features and proper planning is mandatory as to what would be displayed in the story.
While utilizing LinkedIn Stories in all of its glory, below are brief best practices to maintain a comprehensive security and privacy posture:
- Never display or share content that carries private, sensitive, or confidential information.
- Your stories may have the potential to generate a new audience, so avoid accepting any unsolicited connection requests or offers that seem too good to be true.
- Revisit security and privacy settings on your user account, and leverage two-factor/multi-factor authentication protocols.
- Report suspicious interactions to LinkedIn security immediately security.
Conclusion
While social media platforms introduce new and exciting features every day, security best practice and awareness training are oftentimes lacking. This situation provides cybercriminals with lucrative opportunities to exploit vulnerabilities, including zero-days, design flaws, poor user security hygiene, etc.
The new ‘LinkedIn Stories’ feature is the latest addition to the opportunities available to advanced persistent threat actors looking to streamline their attack methodologies on social media platforms. ‘LinkedIn Stories’ is capable of exacerbating inherent (OpSec) challenges linked to poor cybersecurity culture within an organization. As we celebrate Cybersecurity Awareness Month, this October, active LinkedIn (and all social media platforms) users must remain mindful of their surroundings while recording ‘stories,’ so as to prevent sensitive data leakage.
