Wednesday, April 23, 2008

The Linkedin "John Smith" scam

I had my doubts, but I tend to be fairly open with Linkedin requests and keep a mental track of those I really know and those I don't- so when a highly-linked Mr. John Smith (including links to people I *really* know) sent a connection request, I added "him". A bunch of others did, too. No big deal for most folks who think about what info they share (and how much of it is available elsewhere). Turns out Mr. John Smith was an "awareness campaign" or "publicity stunt" depending on your point of view. I received this email today:
Dear LinkedIn user: Meet Mr. John Smith!

You have a profile on LinkedIn.com and you have chosen to connect with "John Smith". This itself is not a problem, if it wasn't for the fact, that John Smith doesn't really exist (in real life). The profile was invented as part of a security experiment were we try to determine and illustrate potential risks using social networks, such as LinkedIn. The presentation was just released on the Fraud Europe conference in Bruxelles today.

We decided not to release any detailed information about who and how John Smith got connected with in his network. However, we felt obligated to inform all Linkin accounts hooked up with John Smith about this piece of research and the release of the final edition of "Social Networking Risk - Who Do You Want to be Today?".

With the paper being released we will delete the "John Smith" profile!

If you've not already guessed it, you're receiving this e-mail because you are linked with john Smith. We hope this will be a leason learned and nothing else ...

All data harvested during the past year, will be deleted. We will also inform LinkedIn and asking them to remove the profile.

You can download the presentation given at Fraud Europe conference at the following URL:
http://www.csis.dk/dk/media/LinkedIn-Threats.pdf

The technical paper, used as background for this presentation and released in January 2008, can be downloaded here:
http://www.csis.dk/dk/media/LinkedIn-V2.pdf

Best regards,

Dennis Rand, Security- and Malware researcher
CSIS Security Group
http://www.csis.dk
Oh, well. But my next question is this- what about that "Information Security" group on Linkedin? A few friends and I questioned the legitimacy of that (after joining) at a recent event.

Bottom line, if it is on the Internet it is out there for all to see. Remember that, act accordingly, and you'll be OK.

Jack