So the tactic has been around for a while. A quick search found this posting by Neal Schaffer, http://windmillnetworking.com/2009/05/21/fake-linkedin-profile-how-to-spot/, in which the fake profiles use the same method as the profiles I found. The big difference is that these fake profiles targeted people not in security but those who are “specialists in social media”…which means it is more than likely that “sets” of fake profiles exist to target different groups (i.e. security, IT, marketing, etc.).
Note that this is not the same as the Robin Sage or Marcus Ranum fake profile experiments.
The author brought up a good point here, and a question I posed to LinkedIn directly…why can’t LinkedIn police this? They have direct access to the data and I’m sure finding similar profiles based on a set of simple logic shouldn’t be that difficult to data mine…right? So far their response has been: “We don’t have an answer yet.”
Comments
Deron,
Fake profiles have been a problem way before The Robin Sage Experiment and Marcus Ranum Experiment. These tactics have been used online way before social media. Half the women in AOL Lesbian chat rooms were really guys trying to get pictures. In order to truly spot a fake you need to due your own due dilegence. A social media site can not be fully responsible because social media is free and the costs are astronomical for such features.
I think an experiment for targeting social media professionals lacks some credability. The mindset of social media experts is to be free and open, and not to be cautious. There are directed targets at specific groups. For instance in August there was a “Hit List” where several people were killed. The target was teenagers under 18 from Pueto Asis, Columbia.
There definitely are over a hundred thousand fake profiles. You have people with alternative life styles, pedophiles, cyber stalkers, hackers, agents, IRS, collection agents, insurance agents, trickster girlfriends and boyfriends, and social media experiments.
The more that people use social media, the more complex it becomes to identify fakes.
Thanks for the comment.
My intention wasn’t to state that the experiments I mentioned in the post were the first, only that this appears to be slightly different in that the profiles are poorly created en mass for the apparent purpose of connection data mining. I can agree that as more users join social media sites the more difficult it becomes to identify fake profiles…especially those who take the time to create a legitimate looking profile for their own needs. For sites like Facebook I’d expect fake profiles to be quite abundant given the type of information available (and yes, I used AOL as well but I was more likely to be the guy hacking your system than pretending to be someone else). We have had, and will continue to have, an authentication issue on the web given its nature as an anonymous medium. The issue I see is that social networking sites which cater to business professionals become devalued due to trust issues and the fact that they are littered with such obvious fake profiles.
If I had to put it into an analogy I’d probably go with “selling a house”. You clean the place up, paint, cut the grass, and fix the leaky faucet all to get more people interested at closer to the asking price. If someone walks by and throws trash on your lawn or TPs your house you clean it up (the obvious fakes). Sure, you could have electrical wiring issues buried deep in the walls that the buyer may not see until after they close and an issue pops up in the future (the really good fake profiles). But the funny thing is the more questions you ask, and the better the home inspector, the more transparent the walls become. Similarly, the more information someone puts into their LinkedIn profile the easier it becomes to identify a fake (assuming people do that prior to accepting a connection). If you say you worked for IBM in Chicago chances are I know someone there…and it becomes fairly easy to ask them or even see if they know this person. If you’ve been at IBM for 3 years, yet aren’t connected to anyone else at IBM that would also be a bit odd.
I guess you’re also saying social media experts are gullible given their very nature, which makes sense. So yes, that study may lack credibility and since that isn’t my line of work I can’t comment…but you would have to expect if they are open then those in security should be the polar opposite. This is why I’m interested in this “experiment in data mining” since the set I’m after is related to infosec fake profiles.
In the end we do need to perform our own due diligence, but I disagree the costs would be astronomical to identify the garden variety fakes such as the 120+ infosec profiles I found. Yes, it would be foolish to expect to get to anywhere near zero fake profiles, but the one’s these guys created are just plain awful. I can’t see, having access to the data that it would be difficult to find the replicated profiles these guys created. We can comb though millions of security logs a day to correlate an event based on logic…and that is accomplished at a pretty low cost. Keep in mind that is over multiple different types of systems, applications, and operating systems that we don’t necessarily control…for LinkedIn we’re talking about a backend database which contains all of the data that is under their control.