Saturday, September 12, 2020

Whaling and Social Engineering by a LinkedIn Babe

 On LinkedIn, I have been recently approached by a very professional seeming young lady. Have you had that experience? Then read on......

(Google Reviewers, please do read carefully before making any decision).

Firstly, I am a male, and I am susceptible to be very friendly with females who are friendly to me (I accept not all males feel the same). Female readers are very welcome to leave your comments, but please understand our weakness.

This article is about an experience which can potentially lead to severe security compromise for the victim, their relatives, friends, colleagues and employers. This article is about a potential account of a whaling or social engineering attempt.

There are various definitions of whaling or social engineering, but let's just use the definition below as an example (not that it is the 100% correct definition), so that we have a rough idea to proceed. 

https://searchsecurity.techtarget.com/definition/whaling

"A whaling attack, also known as whaling phishing or a whaling phishing attack, is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access to sensitive data. In many whaling phishing attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker."

Guys, this paragraph is for you. It's not unusual I get unsolicited invites from LinkedIn. They include bearded guys whose name I cannot pronounce, I click Ignore. Nice looking gentlemen who are headhunters, maybe I accept or ignore. Various ladies who are headhunters, again I may accept or ignore. PhD or students of various types, I may accept if they have an interesting profile, otherwise I ignore. But I have never been invited by a babe-level (non-headhunter) who wanted to strike a conversation which is non-work / non-professional related - until now.....


Initial invitation -

So this under 30s, corporate entreprenuer and executive professional who appears to be running a company, decide to invite me in LinkedIn. Let's call her LX from here. To be specific her LinkedIn profile photo is not babe-level, but instead very professional and very expensive looking high class lady. So the invitation is unusual in the sense of it being rare (I don't get invitations like this) but not enough to be suspicious initially - maybe her work or project made her see something in my professional background that may be interesting - after all this is what LinkedIn is about, thank you. On a personal level, she is also the same ethnic background as myself, so in this case, that increased my interest a little.


Interaction - 

The following is an account of the interaction and so far the interaction is still on going and there is no conclusion yet.

- After connection at LinkedIn, we started with well wishes and small conversations. Nothing unusual, but I'm quite excited to have this interaction.

- Not long after, LX admits she does not use LinkedIn much, and asks if I use WhatsApp or WeChat. Immediately I too wanted to move off from LinkedIn and continue our conversation privately in a non-professional platform for chats. 

- On the Chat platform, the conversation continued. The conversations was very pleasant and non-committal. We started to talk about what each other is doing. From my personal view, I enjoyed this very much because it was refreshing to have a new friend who seemed to be very interested in my routine life. She was not nosy and not at all inquisitive of what I do. So no alarm bells there.

- I asked a few questions about her professional life, ie the business that she does. The questions were in the direction of trying to see if there is any synergies between my work and her work so there is more to talk about professionally, or help each other's business. Again this is quite standard in what LinkedIn is suppose to allow for.

- No business talk. However her response to work and business questions were polite and relevant, but usually ended quickly. For example, her company is multinational, and although they have offices in your country, she does not have direct dealings with your branch. This is quite plausible but adds or subtracts nothing in terms of evidence.

- How is your day? The conversation continues very politely and showing interest in daily life routine, such as how is your day, did you sleep well, have you eaten. These are all very nice and I'm very touched to have this level of interest from someone else.

- Niiice photos - Without making any requests, she voluntarily send me photos of herself doing sports (in tight sports gear, calm down you guys) and also showing her at dinner. The dinner picture of her is sensational - very photogenic. So of course I want to continue the interaction more.

- We talked about music, food, weekend activities. So very nice indeed. She does not seem to care about my family background, education background, social status. I have no pressure to try to impress her simply because she seems to have everything. Wow I really like to meet her. Even if for a purely platonic relationship (guys, please!), she is so refreshing to interact with.

- The summary of the interaction is so far we have both kept it very friendly and have not demanded anything from each other at all. Hence no pressure and no expectations. Other males in this position may have taken a different direction and I don't really know how she would respnd. In any case, at this point there is no cause for alarm based on the interaction in the chat room.

Let's now go to the other side of thought.....


Reality Check - 

1. Who am I that such a perfect lady (looks, wealth, charm, humour) would pay attention to me? An old saying goes 'Look at your own cat-face (literal translation from another culture)', 'Look at your own mug-shot', 'Have you looked in the mirror lately'? This is one reality check that pulled me down to earth. Though not looking like Brad Pitt or George Clooney, etc, I do think I'm not bad looking at times. But with double chin, and an average look, really? would a pretty and wealthy and successful young lady choose me out of millions of nicer looking guys out there? (If you answer yes, you don't deserve sympathy if you are taken for a ride).

2. 'If it is too good to be true, then it is not true'. 

Countless people with higher intelligence than myself have fallen victims to scams. I'm not qualified to give all the reasons why and how smart people get scammed, conned, tricked, but it happens all the time. To re-iterate many smart people fall for it. Simply put, when we see something is so good, and we really want it, then we will try to find all the reasons why this good thing can be true. It's not a matter of being optimistic that makes people vulnerable. Those who fall victim to scams, really do want the bait (money, pretty looking person, etc) - we all want something and sooner or later, there is scammer out there who would have the correct bait for us. 

3. Use logic not our senses - A Beutifual Mind.

Men have often been accused of thinking, not with their brain, but with the organ below. If looking in the mirror does not bring a reality check (coz You're So Vain), then remember the movie A Beutiful Mind about the Noble Prize winning mathematician and schizophrenic John Nash. Spolier Alert: Since his university days, he was seeing an imaginary little child. Through his many years of struggle with schizophrenia including hospitalization and medication, he still believed the child was real because he saw with his own eyes, and hear with his own ears. This super briliant mathematician knew he had schizophrenia but cannot deny the existence of the little child. However, the Reality Check came one day, when he realised (using simple logic), that he knew this child (seeing and talking with her) for many decades of his life but she did not grow old. This is the reality check that even all his physical senses tell him it is real, simple logic about humans and ageing brought him out of his delusion and so he accepted the little girl cannot be real.

OK - let's put our suspiscious cap on for a moment. (Remember, nothing in the interaction so far seems like she wants anything or has anything to offer, except friendship. Neither of us have spoken anything other than what two very familiar friends would speak about.) 


Profile:

- Profile photo included whole person, so her face is quite small in the picture.

- LinkedIn people also viewed other ladies with profiles which are very suggestive, yet with high corporate titles.

- She has a 500+ followers. Nothing wrong with that by itself.

- She has a very important, high position title, but somehow the wording is not quite right. 

- Education and work experience profile is quite short. For a yound person, this is understandable. Two universities were listed. Three work experiences listed, the first is an internship. The third is the current very high and important sounding role.

None of these stand out too much by itself, but ordinarily I would not have accepted the Connect invitation with someone with a very brief education and work experience profile. So my confession is that I accepted because she was an interesting lady.


Suspicions - Putting on the tin-foil hat.

The conversations in the chat does not indicate she wanted anything from me, neither information nor resources. The LinkedIn profile described above is not unusual for each individual item, but collectively, they are starting to ring the alarm bells. From there, trying much harder to look through all the evidence, here is a list of suspicious items.

- In the interaction / chats, when I tried to talk about her business to stimulate her interest or passion in her work or business, her answers very soon changed the topic. It was not avoiding the question, but the answers were very plausible, but like 'now let's talk about something more interesting in your personal life'

- She does not ask me about my work, except simply 'what I do at work'. There is no attempt to extract any kind of work related information at all. In fact this almost lack of interest about my professional experience, considering we met at LinkedIn is a bit unsual I thought.

- She has so far send two photos. The photo in a sporting activity shows her in a tight exercise suit - revealing a nice body (sorry, I have say it as it attracted my attention). The one at dinner was very proper looking, showing such a cute and sweet face. But comparing these two photos with her LinkedIn profile photo and the chat app profile photo, I cannot say for sure that it is or it is not the same person. Each photo was taken either at a different angle, with different hair style and different pose, basically enough differences that it could still be the same person.

- Photos - another thing about the photos is that they are not selfies. So she always has someone with her, taking these nice photos of her, whether in an action during sports or at dinner for one, yet looking nice and framed properly in the photos. Who took these photos? Was she with someone? If there is someone, even a friend, why would she be chatting with me half way around the world instead of giving more attention to that person who is with her?

- Looking more closely at the education level in combination with the work experience. She attended two universities consecutively from 2011-2017. A brief internship was done. Then it appears her first job after the internship is CEO of a company (4 years ago until now) and and second job at the executive level from (3 years ago until now). So this is what I meant by a seemingly successful or wealthy young lady. Can this be true? Yes since her country is a place where rule-of-law is not always true, and important people (e.g. her father) has significant advantages. Or it could be a not-very-good fake profile.

- Looking at her LinkedIn connections, it is almost all males out of the first 8 pages with only one female who is another high-powered successful lady. All the males are CXO, C-level executives, directors, Heads of xyz, business leaders etc. Not even head-hunters has such high powered connections. Could all these male high-flying individuals be potential victims?


Why me? What for?

Although some alarm bells may start to tingle, most likely we may not know the reason until it is too late. Here are just a few very general reasons and there could be more.

https://www.smh.com.au/lifestyle/life-and-relationships/don-t-know-why-i-sent-more-sally-lost-her-entire-savings-to-a-love-scam-20200909-p55ttb.html

1. The article above is about old-fashioned scamminng involving romantic love, but the technology could be modern, like chat or video conferencing. The scammers are patient and build trust and love on the victims, then the objective of the scam is old-fashioned money.

2. For more modern whaling, the objective would be to target high level corporate leaders, or someone influential enough in an organisation, such as an IT Administrator. Then if the scammer can infect the devices of the victim, potentially everyone else in the victim's computer network (ie the office) could be vulnerable.

3. Social engineering - this may combined the old-fashioned charm and get-to-know-the-person-trick, then with the similar objective as whaling, by having the goal of being able to access information or computer systems of more high value targets in the organisation of the victim. 

I don't think I can fall in the romantic scam trick, but that is in fact what I could fall for. I don't have a high title in my company nor important role, but that does not mean I cannot be used to get to another person through me. Just because I don't know why, does not make me any less valuable to a scammer.

4. Here is another potential reason (I won't comment further)

https://www.asianage.com/world/americas/310818/china-using-fake-linkedin-accounts-to-recruit-americans-us-top-spy-catcher.html


Checks

The suspicions above may or may not reflect the truth - and I still cannot be sure at this point.

However, a few things can be checked.

- Contact University? Alumni Lookup service?

- Check with a few others she has been in contact with.

- Check by calling the work company, maybe not directly, but approach with tact.

- Image check in the internet.

- Common scammer fake profiles search


Update:

I just verified using reverse image search (https://tineye.com/search/), that the chat app profile photo is taken from a young lady at a tourist website. The website has a lot of photos of the same lady and they are clearly recognizable as the same person. However, LX's various photo seem difficult to identify as the same person.

No comments: