LinkedIn password leak: What it means for phishing

Spoiler: LinkedIn password leak: What it means for phishing?  Answer:  Not Much!

When people talk to us about phishing, they often want to know “What’s next in phishing? What else are you seeing?”

This gets asked a lot, and is one of my least favorite questions because the truth is, email based spear phishing works as-is It has no reason to evolve right now.

But certainly in the age of social-media-Cloud-SaaS-BYOD attackers are going to shift away from email right?   We take our cues from the incident response community. We are sticking with email based spear phishing until they say otherwise. I pointed out in a previous post Spear Phishing Vs. Spear Phishing these large data dumps will help build some authenticity into the general consumer fraud phishing emails, that will continue to be the case.

Is this LinkedIn data dump going to be different?

What do we know this breach?  Not much right now.  I have the current dump and it’s just an unsalted sha1 hash of the passwords. The dump that is on the internet right now is just the password hash.  We must assume though that the bad guys have the username:shapassword hash, and that it’s only a matter of time before that combo is widely distributed.   My LinkedIn password was terrible. It was 7 characters long and only letters and numbers. I looked for it in the dump but couldn’t find it. (i’m reading now that it’s been discovered that many of these hashes are damaged that that the first three bytes are zero’d out. When I zero out the first three chars of the sha1 hash of my old password I find it.)

Will a phisher be able to take control of hundreds of LinkedIn accounts and launch phishing attacks from within the LinkedIn portal?

A lot of what is going to happen will depend on how LinkedIn handles this situation. LinkedIn owes the public some answers about its password storage. (Check out my old TripAdvisor blog post about their breach).   If LinkedIn does it like Zappos and allow users to login with the old password and then reset it, it could be a disaster.  LinkedIn should *not* handle it this way. Instead they should lock out every account that has an exposed password hash and force users to do a password reset.

Let’s assume an attacker does get access to hundreds of accounts because of this. They will be able to use the data gleaned to create a highly personalized and targeted story, but many of us have fairly public LinkedIn personas and are very liberal about accepting invites to connect.  I don’t think this will have a meaningful impact on phishing.

What about an attacker sending phishing messages through LinkedIn’s InMail?

I suppose it’s possible but we haven’t heard of any cases yet. The message may seem more authentic to the recipient but let’s not forget that LinkedIn’s messaging system doesn’t allow attachments. So the attacker will have to send links (which LinkedIn does make  active) to the victims.   Here is what it would look like to send:

And in the victims email box:

So the LinkedIn platform isn’t a very good one to send phishing attacks with. Are there any other concerns?    You betcha!  Password re-use! Earlier in this post I admitted to having a poor LinkedIn password.  But that didn’t get my heart racing because I’m a fanatic advocate of password managers that auto- generate and store complex passwords. I have 185 items in my personal password manager. (I had 183 this morning until I changed my LinkedIn and personal Twitter password)  These massive credential breaches will continue to happen. Companies like LinkedIn will continue to have terrible password storage practices. (sha1 unsalted. Really? Whip yourself.) We still don’t know how LinkedIn will handle this.   If this breach does lead to an uptick in consumer based phishing, it will be hard to tie it to LinkedIn because the phishing emails will likely come from compromised email accounts that shared the same LinkedIn password, not LinkedIn itself.

–Aaron Higbee @higbee

 

Edits:

Nice post here about this: http://www.novainfosecportal.com/2012/06/06/leakedin-passwords-linked/

UPDATE:   LinkedIn gives more details. Already they are handling this better then some other breaches.

Check out this blog post from LinkedIn’s Vicente Silveira:  http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

Of course this is an embarrasing situation for them, but I’d like to give them credit for:

  1. Disabling these accounts instead of letting people log in to a password change.
  2. Giving people some good information about password resets and not following links in email.  (phishers will use this breach story to try to compromise accounts in spite of this but good for them to put out a warning.)
  3. Using the word Salt and promising to give us more details about the security meachnisms that will be going into place.

 

 

Why PhishMe makes Pentesters Uncomfortable
Educause 2012 SPC: Quick Review