View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

MI5 and FBI sound the alarm on online espionage with LinkedIn a prime target

Foreign spies are using professional social network LinkedIn to gather information on users.

By Afiq Fitri

Foreign spies are using fake LinkedIn profiles on an “industrial scale” to gain information about the United Kingdom’s national security, with more than 10,000 “disguised approaches” detected by MI5 in the last year. The warning from the Centre for the Protection of National Infrastructure comes as the FBI cautioned that North Korean agents are posing as IT workers to gain access to businesses in the US.

LinkedIn is being used by foreign spies (Photo: MARTIN BUREAU/AFP via Getty Images)

“Many of these profiles are established as an elaborate ruse for eliciting details from either officials or members of the public who may have access to information relating to our national security,” said cabinet office minister Steven Barclay, whose portfolio includes cyber security. “It is therefore crucial that we do all we can to protect ourselves and our information, ensuring those who we connect with online are who they say they are.”

Why are fake LinkedIn profiles being used by spies?

According to Ken McCallum, director general of MI5, the agency had detected more than 10,000  attempts on professional networking sites like LinkedIn targeting people across the country in the past year. “Foreign spies are actively working to build relationships with those working in government, in high-tech business and in academia,” he added. 

The nature of LinkedIn as a networking platform and the amount of personal and professional information posted makes it an ideal target for espionage purposes and general criminal activity. “LinkedIn is a platform in which people are used to having unknown people approach them, which provides the attackers good grounds to lure victims,” says Omer Dembinsky, research manager at the cybersecurity firm Check Point. 

Recent research conducted by the company shows that fake LinkedIn details were used in 52% of phishing attacks detected in the first quarter of 2022, up from 8% in the previous quarter. The business social network now accounts for more than half of all phishing-related attacks globally, according to Check Point’s research. 

The scale of the problem can be understood through the sheer amount of fake profiles on the professional networking site. Data from LinkedIn’s most recent transparency report shows that during the first six months of 2021, 11.6 million fake accounts were detected and stopped at the registration stage. In 2020 during the same period and stage, 33.7 million accounts were disrupted, an increase from 19.5 million the previous year. 

According to the same report, 3.7 million fake accounts were successfully created in the first half of 2021 until they were “restricted proactively”, before other LinkedIn users flagged them. This was an increase from 3.1 million in 2020, and from two million in 2019. 

"Our threat intelligence team actively seeks out signs of state sponsored activity and removes fake accounts using information we uncover, and intelligence from a variety of sources, including government agencies,” said a LinkedIn spokesperson. "Our Transparency Report sets out the actions that we take to keep LinkedIn a safe place where real people can connect with professionals they know and trust, including that 97% of the fake accounts we removed were blocked at registration."

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

But new research conducted by academics from the University of Portsmouth’s criminology department has found a low level of awareness among LinkedIn users in the UK about the potential threat from state actors using fake profiles. The study found that UK-based users were most likely to think of trolling and fraud as the main motives for fake profiles, compared to economic espionage. Three quarters of those surveyed also said that they had knowingly received invitation requests from suspicious profiles. 

An app developed by behavioural scientists in partnership with the CPNI was also released yesterday with the aim of helping individuals report and identify fake profiles on LinkedIn. The app, called ‘Think Before You Link’ features several modules for users to familiarise themselves with indicators of fake profiles and a ‘profile reviewer’. 

North Korean spooks posing as IT workers - FBI

Meanwhile across the Atlantic, the Federal Bureau of Investigation (FBI) issued a warning yesterday of attempts by North Korean IT workers to gain freelance employment from clients in North America, Europe and East Asia. The work might include mobile app development, artificial intelligence-related applications, virtual reality programming, as well as facial and biometric recognition software. According to the FBI, the Democratic People’s Republic of Korea “dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to weapons of mass destruction and ballistic missile programs, in violation of US and UN sanctions.”

The agency said that North Korean IT workers often represent themselves as freelancers based in the US and may even sub-contract work to non-North Koreans to obfuscate their identities further. While these IT workers “normally engage in IT work distinct from malicious cyber activity”, the advisory warned that contractors have used their privileged access to company systems to “enable the DPRK’s malicious cyber intrusions”. 

“Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors, although the IT workers are unlikely to be involved in malicious cyber activities themselves,” the report said. But these IT workers “may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors, or assist with the DPRK’s money-laundering and virtual currency transfers.” 

Companies that employ freelance developers were told to be on the lookout for several suspicious indicators that might involve the use of “PRC-linked” digital payment services, inconsistencies in a freelancer’s CV, and cold-calls from individuals posing as C-suite level executives of software development companies to offer services and advertise proficiencies. 

Freelance work and payment platform companies were also told to keep an eye on multiple logins into a privileged account from various IP addresses associated with different countries, frequent money transfers through PRC-based bank accounts, and the repeated use of templates for bidding documents and project communication methods. 

Read more: Malicious web scraping is a growing problem with no simple solution

Topics in this article:
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU