LinkedIn needs to address phishing and security

I grew up on the Internet and learned to build software, hack, and practice social engineering through bulletin boards and meetups. I'm acutely aware of how garbage the Internet can be. The barrier to entry is now so low anyone can get on and cause harm, which is why I take such an afront when massive corporations willingly sacrifice security and integrity for profit. LinkedIn is actually overrun with this stuff, and even NPR had a good article about it.

Given the obviousness of the issue and massive public awareness, you'd think they'd want to address this, woudln't you? That's where it gets weird. There's no other reason LinkedIn would go so far as removing the report "this person is not real" from spam reports. I used to get at least 5 ojbectively fake people a month and reported them frequently:

And yet now I can't say "this person doesn't exist" anymore...

I had a post on this sort of content more than a decade ago on my old website back when I was writing scripts using headless browsers on LinkedIn. I generally shy away from inflammatory content on the Internet and do not particpate in social media, but I'm frustrated enough that I feel like sharing this is worthwhile for other's security. It's disappointing because I'd go so far as saying LinkedIn was improving and doing an alright job a few years ago. They've now noticeably made a reversal in terms of quality.

What do I suspect is going on? Well, I'm sure more than ever they're relying on machine learning and then farming out some to extremely cheap, unspecialized labor for edge cases. And that's absolutely not OK when people's security and privacy are at play to enable very easy criminal behavior.

Case Study: An obvious and simple case that LinkedIn did not address on multiple reports

Why is this particular scam a problem? Because they want your phone information. There are a few scams that go on this way, but malicious links sent to your phone tends to be #1 as it doesn't require manual work. They can't send those links through the chat, because it would be scanned.

Anyway, it starts with spearphishing because for some stupid reason, people think I'm important and worth the time. I'm not, by the way. As such, I've been getting variants of this exact message from phony accounts for several months:

If the crappy scripted nature of the text doesn't tip you off to start, well, I hope it teachs you to look for that

The best part is that every single time, it's a fake account with 0 followers. Not only is it lazy, but you'd think they'd try fake accounts for people who sell franchises or are in the financing of said operations. They don't, because criminals are often really stupid and lazy.

Just today, I received another and decided to put in 2 minutes of effort to prove it was fake. I started by looking at the page:

Seems legit

If this doesn't jump out at you, let's note a few things:

  1. 0 followers or connections
  2. No activity
  3. Customer service representative at Wipro is contacting me about starting a business? Huh?

It's phishing for a scam, but let's take it 20 seconds further with a reverse google image on this person's profile picture URL:

Well, would you look at that? The same person with different spelling on the name, with an entirely different job, on a subset of LinkedIn in a different language.

So, what we have is a classic example of fraud and phishing. Let's report it! I can no longer enter supporting freeform text either like I used to when I said "I know this person in real life and this is not his account; it is a fake". We know why that is gone: it costs money having people look at freeform text. Now, the closest is "spam or scam", so let's report and see what happens...

Nothing. Nothing happened. I usually get follow-up notes, but this time, I got no response, which is very funny. It's especially funny because the last one I reported sent a response within 3 minutes of reporting:

Your Trust & Safety Team sucks

I was very, very salty when I received that email a week ago. Since that note was from 8 days ago, let's check on Tori's profile and see how many friends she's made...

Oh.

Wow, it's almost like LinkedIn was notified and took the wrong response, time and time again, but eventually addressed it a week later. The question is, did anyone have their life complicated as a result beforehand?

Takeaway: LinkedIn is doing less to protect users

LinkedIn: FIX. YOUR. SITE. I don't pay $30 a month for constant phishing and all people deserve better when trusting your platform even if they're using it for free. The step backwards in reporting is unprofessional and cheap and does not help customers; it helps profits while opening up the possibily for people to have their lives ruined. Please stay safe and be smart out there, people.