A couple of weeks ago I got a LinkedIn invitation from someone called Tricia Bennett. I don’t know Tricia, and in such cases I’ve developed a best practice of first asking “hey mate, do I know you from somewhere”?
What’s the rationale for linking yourself professionally only to people you’ve actually met? Well, other than general common sense, it’s to prevent things like sending you an infected email from a trusted source, or spamming you in a way that circumvents
most anti-spam defenses. And there might be some other nefarious things that you never even thought of. Anything that can be used down the road to catch you off guard is a bad idea.
I got the invitation on my new iPhone (after long years of using the Blackberry), and clicked on the link. It asked me to verify my LinkedIn password – and I hesitated.
I looked at the invitation carefully. It looked exactly like any other LinkedIn invitation that I get from people I meet in conferences or in professional engagements. But something nagged me… And then I realized what it was: I recently downloaded a LinkedIn
app for the iPhone, and it kept beeping with new messages and invitation. Today it was silent; why didn’t this invitation trigger an App notification?
I went to the LinkedIn App and waited a few seconds for it to sync itself over the Wifi. No Tricia Bennett.
Hmmmmmmm…
At this point I had to do something else, and a day later I kind of forgot about Tricia. Then the following weekend I got two mystery suitors, same day. This time it was a Jose and a Freya that wanted to offer LinkedIn friendship.
I scratched my head, trying to figure out why the sudden popularity. Not that it’s such a huge anomaly – I mean, lots of people offer their digital handshake, but generally it happens a week or two after a big conference or after I do a webinar, write an
interesting blog, or attend a big event with industry colleagues.
I looked at all the invitations again, and wondered if there’s some sort of foul play. When hovering on the LinkedIn link inside the mail app I couldn’t really see the URL, so I decided to open it in a web browser instead.
And immediately saw that all of the links led not to LinkedIn.com but rather an assortment of URLs hosted in Turkey, Russia or Canada.
Bah!
So. On the iPhone I had less visual cues in my mail app than on a desktop or browser environment. Someone is using that the fact in a simple Phishing attack that attempts to get my LinkedIn password. Why that’s useful to an attacker is something I covered
in a previous post, and isn’t really the point. The point is that Phishing, an experience I thought will never fool me again, is back, effective, and highly confusing – as it leverages
a user experience that was new to me. And the thing in, you can’t really expect what shape it will take because there are a lot of
unchartered waters.
And there’s another point. Fraud on mobile devices is still nascent. Here’s an
observation from Gartner’s Avivah Litan in her blog post on mobile banking fraud making an appearance in Brazil: “Mobile malware is not rampant yet but it’s starting to appear”, says Litan. “For now, solutions are sparse, costly, or not yet fully implemented”.
Judging from history, this nascent state won’t stay like that for long. It’s a bit like online fraud eight years ago. In 2004, Phishing attacks on banks were still isolated, high-profile incidents and there was no effective mitigation. In 2006 I was beside
myself when the first case of Man in the Middle fraud attack was reported. 2006, the same year where the original FFIEC guidance required banks that still used username and password to adopt better defenses.
Mobile fraud in 2012 is the same: we’re just seeing a tip of a future mammoth iceberg heading our way. Whatever it is that exists today is a tiny fraction of what it would become in, say, 2020.