[HN Gopher] Battle with bots prompts purge of Amazon, Apple empl... ___________________________________________________________________ Battle with bots prompts purge of Amazon, Apple employee accounts on LinkedIn Author : todsacerdoti Score : 95 points Date : 2022-10-20 17:23 UTC (5 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | pawelwentpawel wrote: | I've seen a number of accounts that had fake profile pictures | straight out of https://thispersondoesnotexist.com, majority of | them used for spam. | | Also, the content created by (seemingly) real people is sometimes | worse than if it would be automatically generated. I run a couple | jobs board groups on LinkedIn and the amount of sheer amount of | low quality spam that people are trying to push in is incredible. | | Despite all that, I still find LinkedIn useful. | ilamont wrote: | Even before the current LinkedIn purge, shouldn't duplicate | profile images be a red flag? I got three invites from three | different accounts with the same profile photo in the space of a | week over the summer. | | This is also an ongoing issue for Facebook, except the fake | accounts use the same profile photo and name as real people. It's | a vector for fraud and causes untold headaches for millions. It's | been going on for years. | jrd259 wrote: | Surely easily defeated by using fake images from | thispersondoesnotexist.com? | ben_w wrote: | If the criminals are keeping up with tech. I have no reason | to expect them to be any more in the loop than anyone else, | and I still surprise tech people with Google Translate's | augmented reality mode, which is nearly 12 year old tech now. | latchkey wrote: | LinkedIn is a cesspool of shit. I spent a bunch of time and | removed literally everything from my profile except for my | current job, which only has minimal information. That had the | effect of actually increasing the number of Amazon headhunters | writing me weekly. | [deleted] | donretag wrote: | I explicitly have on my profile that I am not interested in | Amazon, but their recruiters still contact me. Recruiters still | not read profile, it's basically spray and pray. | | That said, it's been a couple of weeks since I have heard from | Amazon. There truly must be a hiring freeze going on | mabbo wrote: | Every time an Amazon recruiter emails me, I reply back CC'ing | every previous Amazon recruiter. I say "Thanks <new person | name> but I'm not interested in working for Amazon. <Previous | recruiters>: I previously asked to be taken off the mailing | list- what happened?" | | I got to 4 people on my list before the emails stopped | coming. | tpxl wrote: | At what point does that become harassment? | cyanydeez wrote: | Had these random Asian ladies posting adverts to some charcoal | industrial machines to geology forums. | | I reported them multiple times and each time got an email from | linked in saying they were legit content. | | LinkedIn is purposefully ignorant in the hopes of driving fake | engagement. | stcredzero wrote: | _> LinkedIn is purposefully ignorant in the hopes of driving | fake engagement._ | | From Upton Sinclair Quotes: | | It is difficult to get a man to understand something when his | salary depends upon his not understanding it. | [deleted] | RyJones wrote: | As an employee of an open source foundation of seven people, who | sees hundreds of employees of said project, I guess I salute this | move. | dlahoda wrote: | why not they ask to do kyc before kick? | metadat wrote: | After 14 years on LinkedIn, I recently closed my account. | | LinkedIn never did much of consequence for me, and I've been | enjoying no longer receiving recruiter spam. | | A long time ago I did once find a job through LinkedIn ads, but | beyond that it's been a complete waste of time and energy. | | At this point, social media, especially of the "professional" | variety, seems like more trouble than it's worth. | paxys wrote: | I work at a large tech company and we are routinely made aware of | phishing scams on LinkedIn using our name - either fake profiles | pretending to be an employee or even impersonating one of our | actual employees. | | People have: | | * Tried to sell our product to others, despite not being | affiliated with us | | * Acted as recruiters for our company | | * Tried to get jobs at other companies pretending to have an | employment history with us | | It's frustrating that we cannot do anything other than report it | to LinkedIn, who may or may not take it down eventually. | | The next time you are answering a LinkedIn DM, remember that | anyone is allowed to write anything on there. None of it is | verified. | stcredzero wrote: | It used to be, in the pre-internet 20th century, that people | would exploit mismatches between paper stores of information to | forge fake identities and game the system. | | https://www.edenpress.com/productcart/pc/viewPrd.asp?idprodu... | | Now, in 2022, people are just using the mismatches between | various Big Tech walled gardens to do the same. | | _Plus ca change, plus c 'est la meme chose_ | gnicholas wrote: | I have wondered about fake profiles on LinkedIn. Seems like | people believe that someone is real and their credentials are | real just because they have a profile. But it would be easy to | set up an account with a fake photo, make up an educational and | employment history, and current employer. None of this is | verified, AFAICT. Then you just start following/connecting to | recruiters and others who are Very Online on LinkedIn, to make | the profile look legit. | xsmasher wrote: | Worse than that - you can create a LinkedIn job listing under | that (unverified) employer. | | My last employer got hit by that, and had report the listing to | LinkedIn support and wait for them to remove it. Meanwhile the | scammer could use to job listing to collect information from | targets. | __derek__ wrote: | A particularly easy suggestion I first heard on the Risky Biz | podcast after the reporting about fake CISOs: LinkedIn should | prominently display profile creation dates. | metadat wrote: | This will only create a market for old "used" accounts. | | LinkedIn allows you to change your name and profile content | as often as you wish, and doesn't keep or publicly expose any | of a profile's past info. | baxtr wrote: | "only" seems a bit harsh. It will probably solve some | problems and create new ones instead, which then again need | to be solved. But that's the story with any solution to a | problem. | metadat wrote: | Agreed. | toomuchtodo wrote: | Online dating apps do selfie verifications or identity | proofing. LinkedIn could do the same as well. To verify | someone's identity with a gov ID is about $1-$2 per proofing | request. | | https://stripe.com/identity (only as an example, many vendors | offering this service) | wildrhythms wrote: | How does the Gov ID verification work? | toomuchtodo wrote: | https://identity.stripedemos.com/ | Spooky23 wrote: | There's lots of interesting grifts out there in LinkedIn. | | We busted one guy who claimed to work somewhere 20 years ago | that a colleague and I worked at. We thought he was a a former | colleague - basically there was a guy named "John Smith" that | was this guy. It was too long ago to disqualify the guy, so we | validated his LinkedIn history items carefully and they were | mostly bogus. | | Everything looked legit in the surface. It was like a spy movie | or something. | [deleted] | mh8h wrote: | I wanted to share the link of a job posting on our company | website to LinkedIn. It asked if I want to add my work email to | my profile, just for verification reasons, so that it shows the | "Is Hiring" ring around my profile photo. I made sure it's | displayed nowhere in my profile. I also unselected every single | consent related to using that email address. Less than a week | later I started receiving recruiter emails in my work address. | sylens wrote: | Shouldn't there be an option to verify your employment at a | company? If you list a company in your profile, you have to | provide a company email and click a link to prove that you own | that email address. You could tune this to prompt someone to | "refresh" the proof once a year or something. | [deleted] | laweijfmvo wrote: | even Blind does this, and that's top-tier trash. | | I imagine LinkedIn has no benefit from doing this. It would | only serve to show how few real employees they have and devalue | the platform to recruiters. | cmeacham98 wrote: | Obviously this won't work for every company, but for Amazon, | Apple, and similar it seems like the solution is obvious: | LinkedIn users should be forced to verify an | @amazon.com/@apple.com/etc email address to claim they are | currently an employee of those companies. | chrismarlow9 wrote: | This is a good thought but only if the company allows you to | generate a throwaway email, or designates a single email for | this purpose that potentially forwards to HR (to verify the | employment). Otherwise this puts a massive target on linkedin | back for a data breach and opens individual work emails to | spam. Both would be nasty for credential harvesting (email | username) and spear phishing. | | The single HR email seems like the best option since they would | be able to retroactively confirm employment even if you've | left. | plandis wrote: | ...and then get spammed on my work email? No thanks! | tharkun__ wrote: | Worst idea ever. I have never and will never give LinkedIn (or | similar platforms) my work email address. | | I strictly separate work from personal stuff. Work stuff gets | my work email. Personal stuff gets my personal email. | | Traveling for work and need to book a hotel? Work email. Apple | Id for work laptop? Work email. New account per employer. Gets | disassociated and closed before I hand in my laptop. Electronic | pay slips? Personal email. Health insurance account? Personal | email. Apple Id for personal laptop? Personal email. | | There are things I need or want access to without being | dependent on my employer. | | LinkedIn has nothing to do with my work. It's personal. It's | about me. I list information about me. It's like a CV. No I | should not have to update my CV through my work email account | where my employer has access to information they shouldn't and | where I can't update it if I no longer work there. | derefr wrote: | > No I should not have to update my CV through my work email | account | | That (changing your account to use your work email for sign- | in) is not what they're suggesting; they're suggesting | _binding_ the email address as secondary information to your | account (by sending it a magic-link email you have to click) | -- like a Keybase verification that you "own" a profile. | tedunangst wrote: | And do I trust them to silo this information? Similar | companies like Facebook and Twitter are a solid 0% in using | info provided for verification only for verification | purposes. | derefr wrote: | You rhetorical question is... whether you should trust a | company that already has both your full name, and a list | of companies you've worked for (because you gave them | both of those things to enable them to publicly display | them to people searching for you)... with the information | of what your corporate email address is? | | They already _know_ your corporate email address. They -- | and anyone else who sees the public profile they display | for you(!) -- has all the information required to deduce | it. (And privately, they have all the info required to | not even have to brute-force it -- i.e. they already know | some of your coworkers ' corporate email addresses, and | so the format of the username-part of yours.) | | The only thing they _don 't_ know, is whether you -- the | person who claims to have worked for company X, but might | not actually -- can access that email address. | | Is there something scary about them having that | information, over-and-above what's scary about them being | able to do what they can do with the information you | explicitly _did_ choose to give them? | tharkun__ wrote: | Exactly my point. I should not require current access to a | work email account just to update my CV to show that I | worked somewhere. Or for how long I worked there (like that | suggestion to "re-verify" periodically). | | I don't update my LinkedIn right away for example when I | change jobs. I usually wait about a year until I put the | new employer. Why would I accept getting forced, as one of | the first actions at my new employer, to list where I work? | derefr wrote: | Showing that you _worked_ somewhere and showing that you | _are working_ somewhere are two different things. A work | email can be used to show that you _are working_ | somewhere. Proving that you _did work_ somewhere (and for | how long) would require... I don 't know, an income tax | statement? Like banks ask for -- "proof of income." | | IMHO, of the two options, the email is the more | convenient and less invasive one -- at the expense of not | always being reachable by the time you need it. | tharkun__ wrote: | I understand that it _can_ be used. I am saying that it | is a bad idea to require that. | | Yes sure it is _less_ invasive than the other option you | gave. I mean income tax statement to show I worked | somewhere, are you kidding me? To LinkedIn? Showing | exactly how much I made? Your suggestions are not getting | better. Less invasive doesn 't mean it's a good idea. | | Making the president dictator for 20 years is less bad | than making him dictator for life. I still like democracy | better, even if it's not perfect. | derefr wrote: | I don't think you've grasped the spirit of what I'm | saying. In a perfect world, every interaction with a | service would require exactly as much identity | verification as is required to entirely, 100% prohibit | people pretending to be you... but also, people being | people, they would then voluntarily _avoid interactions_ | which _would necessitate_ giving that proof. | | In other words, in a perfect world, the government | requires LinkedIn and similar services to put users | through KYC (i.e. demand proof-of-identity+income for | sign-up)... and poof! These services cease to exist, | because nobody's going to give them that for only the | small amount of value LinkedIn provides people. | CogitoCogito wrote: | What if the place has no canonical email domain for its | employees? Or if they don't all receive them? Or if many | employees are working there as contractors and not | receiving emails? | | The more I think about it, the more corner cases I see | that make this problematic. | derefr wrote: | Like I said, it would be a pure optimization over a more | rigorous proof-of-identity + proof-of-income path. You | can always allow the user just fall back to that more- | rigorous path if they don't have such a verifiable | address. | CogitoCogito wrote: | Linkedin will never require proof of income. That's much | more intrusive. So no it's not an optimization over | something that simply never will occur. | | I think you may just have to accept that if you want to | verify an employee, you'll need to call their previous | employers. This is the way it's always been done. | derefr wrote: | > I think you may just have to accept that if you want to | verify an employee, you'll need to call their previous | employers | | You're talking about "they" as in the people reading the | CV. Which works fine for the scale individual employers | operate at. | | But the point of this conversation, is what the services | themselves, dealing with fake profiles _at scale_ , | should do. LinkedIn themselves don't make hiring | decisions; they make money off of how reliable their | listings are. Their incentive is entirely different than | the employer's incentive. | | By analogy: it's fine to talk about how a given person | should carry pepper spray with them if they want to avoid | getting mugged. But what should a _city government_ do to | make a city a place people want to move to, where people | generally don 't want to move to cities where they might | have a high chance of getting mugged? | | > Linkedin will never require proof of income. That's | much more intrusive. | | You seem to think we're talking about this being done for | every company automatically. But my understanding is that | bots are always trying to impersonate the same top | companies -- so this requirement would either be for a | certain whitelist of important employers, or (more | likely) would be an org setting that the LinkedIn org | admin for a given company would set (when they're having | trouble with bots), to _require_ LinkedIn to do extended | verification for people claiming to specifically be | employees of _that_ company. Very much like how | Cloudflare has an "I'm under attack" toggle that forces | visitors through CAPTCHAs. If your previous employer sets | that flag... well, that's their fault. Same as it's their | fault if they aren't willing to give you a reference for | petty reasons. | blacksmith_tb wrote: | I guess they haven't got them all yet, I mean, the consensus | seems to be that Apple has ~155K employees[1] not 284K (and | obviously not every Apple employee will have a LinkedIn | account...) | | 1: https://www.statista.com/statistics/273439/number-of- | employe... | stormbrew wrote: | Likely a lot of people just never update their employer on | linked in after they leave. Especially if they retire. That'd | be a different kind of problem than bot accounts. | TazeTSchnitzel wrote: | I have noticed multiple former colleagues where I work not | bothering to update their profile when leaving. | dylan604 wrote: | I haven't updated my LI profile for quite some time. I don't | even care enough to login to see exactly what was the last | update. I do know that a recruiter was emailing me about a | company that I had already spent time working with and since | moved on, but was after I quit updating the LI profile. Still | haven't retired either. | ipaddr wrote: | You have double accounts and contractors who officially worked | someone else claiming employment. Plus former employees who | never updated | [deleted] | raydiatian wrote: | LinkedIn is such an objective failure. I'm independent and even I | deleted mine. | | You can rest assured they're still handing out our information. | bushbaba wrote: | Eh disagree. It's been invaluable for keeping up with former | colleagues. And finding contacts to assist with business. | unforeseen9991 wrote: | Yeah people's contact information changes over the years, | especially these days. Some people I develop a close enough | relationship with to exchange personal email accounts, the | majority I don't. | | I'm independent as well and some of my biggest projects have | been from former people i've worked with reaching out. | etchalon wrote: | It's absolutely ridiculous that the administrator for a Company | Page can't remove a person as an employee from that page. | | We have a dozen or more fake employees on our page, plus ex- | employees who never updated their linkedin, and there's no way | for me to say, as a person who owns the business, "This person | does not work here." | | Ridiculous. | ChrisMarshallNY wrote: | I have someone in UAE that is listed as an employee of one of my | companies, as an administrative assistant. | | The company is in my home, in New York. | | I reported the fake profile, but it's still there, listed as an | employee of mine. | | _[UPDATE] Actually, belay that. They seem to finally be gone._ | makestuff wrote: | Slightly related but there is a fake profile of me on Facebook | I have been trying to get taken down for months now. It copied | my profile picture and added several of my mutual friends. | Facebook just keeps saying the profile doesn't violate their | guidelines even though my last name is very unique and the | profile picture makes it blatantly obvious. | bee_rider wrote: | Yeah, fake profiles were one of the things that made me just | start completely ignoring friend requests on Facebook. | Although I'm one of those grumpy, uninterested/uninteresting | people who is just on the site to stay in touch with their | parents and grandparents, so it isn't like I'm in the | demographic they are trying to grow anyway. | Brybry wrote: | I wonder if you DMCA/copyright strike the fake profile for | using your picture if that would be more effective. | [deleted] | hsbauauvhabzb wrote: | A young (attractive) man was murdered in my country with a | case dragged out over a period of years, there was a fake but | active profile using his highly published images under a | different name. Facebook banned me for continuously reporting | the profile, in every report I linked multiple articles | containing the relevant images. | | I would suggest you encourage a large volume of contacts to | report the profile. Funny that you have to game the system to | achieve a perfectly legitimate result. | dylan604 wrote: | >Funny that you have to game the system to achieve a | perfectly legitimate result. | | How does the automated bot know the perfectly legitimate to | the wholly being scammed? | derefr wrote: | I feel like the workflow that happens when you click "flag" | in social networks has become ossified according to " | Content Guidelines" in the same way that Level-1 CSR | scripts are ossified. To actually get one-off (rather than | rule-based) evaluation of a problem, you need your report | to not come in from that direction, but from some other | side-channel, e.g. a viral tweet complaining about the | problem. | Firmwarrior wrote: | Man, I wish we could convince people to just stop using | these fucking "platforms" and go back to cheap selfhosted | forums/blogs | | Of course a giant faceless low-margin corporation is | going to do a bad job of moderation. I wish it weren't | such a big deal when they fail at it | hsbauauvhabzb wrote: | They wait for the user to respond, and give them 4 weeks. It's | silly. | notacoward wrote: | > LinkedIn claims that its security systems detect and block | approximately 96 percent of fake accounts. | | In order for that number to mean anything, they'd have to know | what the total is. It would be more accurate to say that 96% of | those who are caught at all are caught by LinkedIn themselves | (presumably the rest by third parties) but that says nothing | about how many are still in the system ... and that still seems | to be a lot. | pfortuny wrote: | You can do random sampling, though. It can give a good | estimate. Not saying they are doing it, though. | | But you certainly can get a good assessment without knowing the | total population. | oersted wrote: | As in any similar problem: you can sample a reasonably | representative set of accounts, review them thoroughly by | manual means, and see how these manual results compare to the | automatic ones. | | They don't need to know what the total is, if they knew the | problem would be solved. | | 96% represents the probability of a correct prediction, not a | fraction of the total. | tedunangst wrote: | No, that would be much less accurate to say. They're not saying | the other 4% are caught at all. | notacoward wrote: | > No, that would be much less accurate to say. | | You don't know that. If I was premature in making a guess, | you were equally premature in contradicting it. What's your | interpretation? That they meant 96% of the total? I might | enjoy seeing you explain how that could be true while still | leaving 600K Amazon/Apple profiles to be cleaned up in a | special campaign responding to media exposure. Do you think | it's 96% of what they could have caught by manually examining | every profile? That's no more supportable than the theory you | summarily rejected. Your own guesses or assumptions are no | better than anyone else's. | [deleted] | [deleted] | raydiatian wrote: | It always seems that the tech companies that make major OSS | contribs turn into fiestas. | | 1. LinkedIn gave us Kafka | | 2. Netflix gave us Hystrix | | 3. Greatest of all, Facebook, who gave us everything: React, | PyTorch, Jest | Macha wrote: | Apple with LLVM is arguably a bigger contribution than LinkedIn | with Kafka, and Apple are notoriously stingy with open source. | I'd have thought their contributions to FreeBSD would be | Netflix's most notable contributions. No mention of Google with | Angular, Dart, WebM, AOSP, Guava, Kubernetes, Bazel, Go. At | this stage Microsoft is also arguably a larger open source | contributor than LinkedIn or Netflix. | raydiatian wrote: | This is all fair. I genuinely didn't know Apple developed | LLVM, I knew they were heavily involved in early 00's. Can't | believe I forgot Kubernetes & Angular. | | Anyways it's a hot take, you're totally right. ___________________________________________________________________ (page generated 2022-10-20 23:00 UTC)