Cyber Security: The social network where everyone's been netted

Social networks are one of the most common ways we communicate in the 21st century. We use them for entertainment, social interaction and even business. But with all the personal details we put on social media, how easy is it to use that information to manipulate somebody into doing something they shouldn’t? This is where phishing comes in…

Phishing

Well, it’s not to be confused with the activity of sitting in front of a lake for six hours in the pouring rain with nothing more than a rod and a net. Phishing is an attack performed by crafty criminals who attempt to trick a user into doing something they shouldn’t, such as visiting a dodgy website or downloading a malicious application.

There are many variations of types of phishing as well, which if referred to correctly will definitely impress your cyber security team:

Vishing
An attack where an unsavoury character will call you up and ask for information about yourself, tricking you into providing personal confidential information. A common example of this is when you might get a call from somebody purporting to be from a certain large technology organisation’s support department, when in reality it’s a chap in a call centre with the aim of extorting money from you
Smishing
Keeping on the same track as vishing, it involves your phone, however the method isn’t to call but to text message a user instead. A very common example that’s been in the news recently was the Royal Mail scam, where a group of individuals were sending messages to say a package was ready for delivery but required payment before collection

Why does all of this matter?

Well, we may be in for a tough ride over the next couple of months. As recently as March 2021, the National Cyber Security Centre reported that in the last 12 months 83% of businesses and 79% of charities have experienced a phishing attack.

Making matters worse, as of 27th June 2021, over 700 million LinkedIn records had been put on hacking forums and were being sold to anyone who wished to purchase them. What makes this different to other breaches is this is up-to-date and current data that was obtained as recently as this year. Often data breaches are a mixture of old records that aren’t relevant any more.

The one solace that we can take is that LinkedIn has said that no confidential information such as passwords has been stolen, however the following has:

Email addresses
Full names
Phone numbers
Physical addresses
Geolocation records
LinkedIn username and profile URL
Personal and professional experience/background
Genders
Other social media accounts and usernames

How was this data obtained?

It turns out the data was obtained using the publicly available LinkedIn API (a method where two different programs can talk to each other). This isn’t the first time this has happened either – a data leak using the same method occurred back in April 2021.

And for those wondering, I have confirmed that my own data has been leaked, and I am sure that given an estimated 92% of LinkedIn’s user base are affected, you may well be reading this and wondering whether you’re affected too.

So how do I find out if it’s been leaked?

The first thing to do is check the LinkedIn Data Breach Checker set up by CyberNews.

The second step is to check HaveIBeenPwned, a website that allows you to check your email address or mobile number across years’ worth of data breaches and see what information was leaked.

Once you’ve done both of those things, I would change your password on any affected accounts and the associated email addresses. If there is the ability to turn on multi-factor authentication (MFA/2FA) then do so.

What can I do to protect myself as an employee?

A common mantra used in cyber security is that humans are the first line of defence against attackers, but they’re also often the most vulnerable if not trained properly. Request from your employer any cyber awareness training that is available to you, and if not, check websites like the National Cyber Security Centre to find top tips on how to secure yourself from attackers.