How recent data breaches can help you avoid a catfish attack

Suggestions that recent, high profile data breaches were enabled with so-called ‘catfish’ operations should not come as a surprise. The groups responsible, one of which is thought to be linked to the Iranian state, have been using this technique for several years and it is highly likely that other criminals are finding ways to make catfishing work for them, too.

Although, in recent cases, social media was being used to establish a level of trust as the basis for a subsequent attack, it is worth considering what else a potential attacker can gain from your social media profile, how they can potentially use this information and what you can do to prevent them.

Targeting the professionals’ network

LinkedIn is the natural first port of call for any attacker conducting a hostile reconnaissance on your organisation, with much of the information of interest generally being explicitly posted by the targeted individual. Pictures of security passes are always useful if an attacker is looking to gain physical access to a building, whereas screenshots, images of hardware and lists of skills relating to specific technologies/platforms are very useful in identifying a potential attack surface and vulnerabilities.

Even comparatively minor snippets of information, such as the names of meeting rooms or the dates and times of key meetings, can be used by attackers to lend a degree of credibility to their attempts to impersonate staff and elicit further information.

The LinkedIn links

Going beyond what is actually posted by an individual, it’s also worth considering what information the associations inherent in LinkedIn can provide an attacker. LinkedIn has a large number of potential linkages: recommendations, endorsements, likes/comments and the ‘People Also Viewed’ column.

The last category is particularly interesting. It has the potential to reveal significant information about an organisation’s structure and can allow an attacker to begin to understand the structure in detail. This is possible even when individuals do not publicly reveal for which organisation, or in which department, they work.

In tests against a known organisation, NCC Group analysts were able to replicate the structure with a good degree of accuracy using this methodology. Indeed, in some cases, analysts were able to identify the names of colleagues who were not even on LinkedIn - where an individual’s ‘People Also Viewed’ column is filled with links to different profiles of the same name, it indicates that people were searching for a colleague of that name.

Safety in numbers

The ability of an attacker to exploit LinkedIn connections suggests that the problem goes well beyond individual responsibility; your social media security hygiene may be impeccable, but you’re still at risk from colleagues and connections who are less careful.

For an organisation to have the best chance of withstanding attempts at hostile reconnaissance, enough of the potential targets must be secure enough to prevent effective social network analysis.

Locking down your LinkedIn profile

Here are our top tips for making your LinkedIn profile more secure:

Review the Settings & Privacy section of your account

The Settings & Privacy section can be accessed in the drop-down menu that appears when you click ‘Me’ at the top of the screen. Clearly there’s a trade-off between visibility and security; only you can decide where that balance should lie.

Think before you post

Posts often openly reveal potentially sensitive information. Pay special consideration to the following: 

  • Information relating to physical security. Pictures of passes, security infrastructure, keys, etc. are helpful in gaining physical entry to a location.
  • Information which may indicate the hardware/software which is in use by you/your organisation. In particular, screenshots can give away far more information than you think, but also be aware of listing all the technologies which you have gained proficiency in during your current role. (This information is helpful for attackers seeking to identify potential technical vulnerabilities).
  • Information about the location/pattern of life of key staff members.
  • Information such as project names and codes. This would be useful to an attacker in impersonating someone in your organisation.
  • Key events or timings within the organisation. This would be useful for selecting the time/date when an attack is most likely to be successful.

Think before you connect

For those working in sectors where security is a priority, it’s generally good advice to avoid connecting with people with whom you are not already acquainted. Consider the following points when assessing whether to accept a connection:

  • Most – but not all - cat phishing attempts are built around the profile of a young, attractive female.
  • Be alert to subtle clues, such as poor English (where relevant), inconsistencies in the profile and recently created profiles which lack existing, relevant connections within your industry.
  • Although having mutual connections with the target may be an indicator that the profile is legitimate, it might just be an indication that some of your friends/colleagues have been suckered.

Stay hidden

Consider removing the ‘People Also Viewed’ element from your profile, and consider how much information you are revealing when you give and receive recommendations, endorsements, likes and comments.

See it, report it

Report suspected catfish profiles to LinkedIn and alert others in your organisation/network to your concerns.


Using LinkedIn effectively requires a balance of competing priorities: security considerations have to weighed up against the potential advantages in regard to sales, marketing, industry collaboration and professional development.

NCC Group consultants have an in-depth understanding of the kind of information that attackers look for, where they look for it, and how they use it to target individuals and organisations. If you require it, we can provide your organisation with an attacker’s-eye view, showing the nature and extent of your digital footprint and its potential security implications.

Contact us

What is catfishing?

Catfishing is the process of luring someone into a relationship by adopting a fictional online persona, usually in order to conduct a social engineering attack.

The most common form of catfish attack revolves around dating sites; the perpetrator establishes a strong bond with the victim (often over an extended period of time) before creating a plausible context for requiring the victim’s financial assistance – such as not being able to afford to apply for a visa or pay for a flight to visit the victim.

The process is put to a different use by more sophisticated groups (including, as we have seen, hostile intelligence services). The objective here is not to scam money from the victim, but to establish sufficient trust to get the target to open an infected attachment or visit a site hosting malware.

Why is it called catfishing?

Allegedly, when cod was transported overseas in large tanks they became lethargic, resulting in a marked reduction in their flavour. In order to rectify this, the shippers added a catfish to the tank as well, thereby keeping the cod active. In much the same way the catfish are designed to keep the cod ‘on their toes’, the idea goes that people masquerading behind fake personas should have a very similar effect on humans. However, NCC Group analysts cannot vouch for the truth of any element of this etymology.

Published date:  12 October 2017

Written by:  Tim Haines

comments powered by Disqus

Filter By Service

Filter By Date