That online job candidate may be carrying a virus
- 25 January, 2017 22:18
January is the month when employees are most likely to think about changing jobs, according to a survey by Glassdoor. Almost one in five jobseekers cited January as the most popular month to make a move, which means that resumes, cover letters and reference contacts are eagerly shared through social media, email and company websites.
Cyber thieves are eager to take advantage of the busy hiring season, too, and they’ve come up with several ways to infiltrate corporate systems. Security pros offer their tips on what to watch out for, and how to stop them.
Cyber criminals use LinkedIn and other social media sites to bypass company defenses
LinkedIn and other social networks are becoming targets for threat actors since they know it's a great way to bypass company's defenses, according to cybersecurity firm Cylance. LinkedIn is typically a site that is not blocked by network filters to allow HR departments the freedom to communicate with prospective job candidates.
Some 87 percent of recruiters use LinkedIn when vetting candidates during the hiring process, according to Jobvite’s Recruiter Nation Survey 2016. Jobseekers flock to the site as well, many of them browsing at the office, with 45 billion page views from LinkedIn members in the first quarter of 2016, according to LinkedIn.
“These attacks are becoming more common because it’s easy and inexpensive,” says Chris Stephen, channel engineer at Cylance. “Companies have placed a lot of money in their perimeter security and purchased products to find sites with poor reputations scores. LinkedIn circumvents both of these layers.”
Email scanning is almost completely circumvented in these types of attack, Stephen says. Most professionals sign into LinkedIn using their personal email addresses, not through their company account, so these emails will not be scanned by their email security. Though most email providers don’t allow .exe file attachments, hackers can still upload resumes infected with malware via a Word document or PDF, which professionals are more likely to open, he adds.
“For LinkedIn, you’re providing them with your resume, and that’s really the vector that’s going to give (threat actors) an increased likelihood of payout,” Stephen says. Job sites such as Monster and Indeed have candidates pre-fill their resume instead of attaching one, he adds.
Cyber thieves posing as legitimate LinkedIn users can also be hard to spot. They’re often able to infiltrate a company by striking up conversations with recruiters or employees in social engineering plots or to share malware attachments. If the fake user’s account has a lot of shared connections, then the employee is less likely to be concerned, Stephen says.
Chris Stephen, channel engineer at Cylance
When asked about the vulnerability, LinkedIn issued a written response: "Growing your network is a crucial step in finding new business opportunities. The most important thing LinkedIn members can do to protect themselves is to only accept requests from people they know or recommended contacts from a trusted connection. We encourage our members to flag any profiles, messages or postings they believe are suspicious. We have many helpful articles in our Help Center to stay educated…. We also have… dedicated teams that work quickly to remove any instance of fraudulent activity and prevent future reoccurrences."
Executives face higher risks
Fake LinkedIn users pose a higher threat for executives, says Ray Kruk, a vice president in social media protection at Proofpoint. The average CEO has 930 LinkedIn connections, according to LinkedIn. “We’re seeing a lot more risk to the brand around fake users impersonating a trusted business partner and reaching out to an executive leader in the company,” he says. Using a post or communication dialog over LinkedIn or social network, the fake user will include a malware link in the form of a shortened link. Clicking on the link will install software on the executive’s computer.
If an executive were to be compromised, cyber criminals would have access to perhaps more important or sensitive data and file systems than they would have simply by trying to socially engineer an HR department to get in, Kruk says.
Most collaboration platforms are vulnerable
LinkedIn isn’t the only professionally focused social network in the crosshairs of cyber thieves. Collaboration platforms and semi-private social networks like Slack or Jive bypass all of the corporate controls that are in place at the network and infrastructure layers, and provide newer entryways for bad actors to infiltrate a company.
“When it comes down to where the vulnerability is – it’s the human element in a cybersecurity strategy that is the vulnerable link,” Kruk says. Security policy and governance needs to focus on how people interact with data, correspond with email and use tools like LinkedIn and others, he adds.
HR departments and recruiters use Slack and Jive to communicate with job candidates, but those tools are also unmanaged and the company has no control of the data that goes in or out, says David King, senior manager at professional services firm UHY LLP in the internal audit, risk and controls practice.
“The biggest risk that I see with these types of services is that…if your recruiter leaves one firm and goes to another, they take all those Slack conversations with them.”
King suggests greater control and oversight to solve the problem. First, establish written policies that forbid the use of personal social media accounts for professional work. Companies can also onboard temporary or part-time recruiters in the same way they welcome full-time employees, by setting up corporate email and social media accounts for them.
“If you’re onboarding one or two recruiters a week and attrition is high, then the overhead will be high,” he says. Another option – setting up a company Slack account, and eliminate personalization for part-time employees. “However, each time somebody leaves you will have to reset the credentials of that account,” King adds.
Protecting corporate systems
Companies should first make sure that employees are aware that the vulnerabilities exist. Training programs, such as spear-phishing campaigns, are an effective first step, Stephen says. Endpoint security and application-layer software can also help deter the threats.
Private vs. corporate email address
Employees often use personal email accounts to access job-hunting sites like LinkedIn at the office, or list their private email in their contact information, which provides an entry point for social engineering schemes.
“There’s mixed opinion here, but we hear more companies say that using your corporate email address vs. private email address tied to your social media profile may be a better security best practice,” Kruk says. “Your corporate email should be less vulnerable to attack if you have strong security controls around it, compared to your private email on Yahoo, Gmail or Hotmail.”
HR departments often use third-party recruiters to help with hiring, who also use their own social media accounts, he says. In those cases, many companies issue temporary corporate email addresses to those employees so they can provision and de-provision users relatively quickly, he adds.