For those of you that have been the targets of SPAM or phishing or perhaps for those of you that are cyber defenders, how many times have you heard
“I have no idea how the attacker got my personal email address.“
I have a secret to share with you. [Come a little closer to the screen. I’ll whisper it.] You may have given it to them. Yup. Let me show you a neat little trick in the LinkedIn.com social media web application.
What is LinkedIn?
LinkedIn is a professional social media web application. According to https://press.linkedin.com/about-linkedin, “LinkedIn operates the world’s largest professional network on the Internet with more than 467 million members in over 200 countries and territories.” If you do Open Source Intelligence (OSINT) like I do, you are probably smiling right now and thinking “Yeah. You may have 467 million ‘members’ but I wonder how many of those accounts are real people versus sock puppets.“
If you’ve ever received the Micah Hoffman biography, you’ll know that, although I have a career in the information security (computer security) field, my undergraduate degree is in psychology. Understanding psychology is fundamental to interpreting, predicting and, well, understanding people. What do I mean? Let’s think about how people use (I’m talking about “normal people” not us OSINT-types) LinkedIn. An person creates an account on the site and then uses that account throughout their career, across multiple roles and employers. If we understand that basic fact, then we can posit that they may have signed up for LinkedIn with a personal email account as the username. Fair enough assumption? OK, hold that thought and let’s understand a little more about LinkedIn.
Many people who use LinkedIn do so to increase their “professional network” of colleagues, friends and associates. Why? The bigger and wider your network of professional contacts, the more likely you are to know someone who knows someone at a certain company or that has a position open for you to apply for. So we have 467 million accounts that are trying to connect to others so that they can cast their professional networks as wide as possible so that when they need their next job, are looking to hire a person with a specific skill-set or just need to contact someone at Company X, they can leverage their network of people to reach the “right” people.
When people ask to connect to your profile in LinkedIn, you have the option to accept or reject it. I have a rule that I will only “connect” with people on LinkedIn that I have actually worked with. Why? You’ll see in a moment. Some people are not as discriminating as I am. In fact, there is a title for people that will accept any connection request: LinkedIn Open Networkers (https://www.linkedin.com/help/linkedin/answer/1146/definition-of-l-i-o-n-). In pulling that last URL for this blog post, I found it interesting that “this term is not endorsed by LinkedIn. As a reminder, only connect to people you know and trust and only join groups you want your name associated with.” LinkedIn themselves are saying “Hey. You may not want to connect with people you don’t know.” LiONs have hundreds to thousands of connections to people across industries and countries.I never understood why someone would want to be a LiON aside from getting bragging rights about how many people you are connected to. Well….until I found out that these LiONs could be using their connections just as their connections are using the LiONs.
Giving of Data
In most social media platforms, when you connect to another user, you are allowing them to see some of your personal (possibly private) data. Same goes for connecting to people on LinkedIn. So, picture that you are a LiON or maybe just a normal user and you want to gather information about a person or, perhaps ALL of your connections. There is a way to do that in LinkedIn. It is called “Exporting Connections” and it is WONDERFUL if you are in OSINT…scary if you are a regular user.
Here is how you can export your connections in LinkedIn. I’d like to warn you that once you see the next steps and what they show, you may rethink your criteria for connecting to others on social media sites (and that is one of my reasons for publishing this). Visit the https://www.linkedin.com/psettings/member-data as a logged-in user. It should bring you to a place that looks like the image below.
Go ahead and “Request archive” all of your connections.
- You will get a link to download your data in your registered email
- Click the link
- Download the ZIP file
- Uncompress it
- Open the Connections.csv file
For those that do not have a LinkedIn account (or don’t want to do this), let me show you what the output might look like. I’ve blurred much of the data to respect the privacy of these connections.
You can see first and last names, email address, company and position. Remember when I mentioned earlier about people signing up for LinkedIn with their personal emails? Ya…if they changed the default setting in LinkedIn to share those, they would appear in the output (as the “cds@…” does)! Lesson here is when you connect to someone on LinkedIn, you give them a LOT of info about yourself.
So we understand that we can get people’s home email (sometimes), where they work, and positions by connecting to them. So if I wanted to SPAM, phish or social engineer a company, I might create a LiON account, connect to a bunch of people, accept all requests for connections, and then export my connections to get victim information for my attacks.
What about tracking people over time? Could you have a sock puppet account connect to many targets and then export their data each month to find out:
- Who changed employers?
- Who changed positions within their company?
- Who changed their name (possibly indicating marriage or divorce)?
Yes. Yes you can. I’m sure some of you are thinking about some of other uses for this information too. The worst part about it is that most users do not know that their LinkedIn data is given to all of their connections!
Now do you see why I’m restrictive about who I connect with on LinkedIn/social media? Ya. Any user of the LinkedIn system (not just premium users) can export their connections and do what I’ve done. Perhaps it is time to revisit all those connections in your LinkedIn profiles?
Josh “baywolf88” Huff (OSINTer-extraordinaire) checked to see if the export of LinkedIn contact information is updated if you change your email or other data. It is so a person that regularly downloaded the information could track not only what companies and positions you have had but also personal email changes (moved from Yahoo email to Gmail recently?). Thanks for checking that Josh!