[HN Gopher] Battle with bots prompts purge of Amazon, Apple empl...
___________________________________________________________________
Battle with bots prompts purge of Amazon, Apple employee accounts
on LinkedIn
Author : todsacerdoti
Score : 95 points
Date : 2022-10-20 17:23 UTC (5 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| pawelwentpawel wrote:
| I've seen a number of accounts that had fake profile pictures
| straight out of https://thispersondoesnotexist.com, majority of
| them used for spam.
|
| Also, the content created by (seemingly) real people is sometimes
| worse than if it would be automatically generated. I run a couple
| jobs board groups on LinkedIn and the amount of sheer amount of
| low quality spam that people are trying to push in is incredible.
|
| Despite all that, I still find LinkedIn useful.
| ilamont wrote:
| Even before the current LinkedIn purge, shouldn't duplicate
| profile images be a red flag? I got three invites from three
| different accounts with the same profile photo in the space of a
| week over the summer.
|
| This is also an ongoing issue for Facebook, except the fake
| accounts use the same profile photo and name as real people. It's
| a vector for fraud and causes untold headaches for millions. It's
| been going on for years.
| jrd259 wrote:
| Surely easily defeated by using fake images from
| thispersondoesnotexist.com?
| ben_w wrote:
| If the criminals are keeping up with tech. I have no reason
| to expect them to be any more in the loop than anyone else,
| and I still surprise tech people with Google Translate's
| augmented reality mode, which is nearly 12 year old tech now.
| latchkey wrote:
| LinkedIn is a cesspool of shit. I spent a bunch of time and
| removed literally everything from my profile except for my
| current job, which only has minimal information. That had the
| effect of actually increasing the number of Amazon headhunters
| writing me weekly.
| [deleted]
| donretag wrote:
| I explicitly have on my profile that I am not interested in
| Amazon, but their recruiters still contact me. Recruiters still
| not read profile, it's basically spray and pray.
|
| That said, it's been a couple of weeks since I have heard from
| Amazon. There truly must be a hiring freeze going on
| mabbo wrote:
| Every time an Amazon recruiter emails me, I reply back CC'ing
| every previous Amazon recruiter. I say "Thanks <new person
| name> but I'm not interested in working for Amazon. <Previous
| recruiters>: I previously asked to be taken off the mailing
| list- what happened?"
|
| I got to 4 people on my list before the emails stopped
| coming.
| tpxl wrote:
| At what point does that become harassment?
| cyanydeez wrote:
| Had these random Asian ladies posting adverts to some charcoal
| industrial machines to geology forums.
|
| I reported them multiple times and each time got an email from
| linked in saying they were legit content.
|
| LinkedIn is purposefully ignorant in the hopes of driving fake
| engagement.
| stcredzero wrote:
| _> LinkedIn is purposefully ignorant in the hopes of driving
| fake engagement._
|
| From Upton Sinclair Quotes:
|
| It is difficult to get a man to understand something when his
| salary depends upon his not understanding it.
| [deleted]
| RyJones wrote:
| As an employee of an open source foundation of seven people, who
| sees hundreds of employees of said project, I guess I salute this
| move.
| dlahoda wrote:
| why not they ask to do kyc before kick?
| metadat wrote:
| After 14 years on LinkedIn, I recently closed my account.
|
| LinkedIn never did much of consequence for me, and I've been
| enjoying no longer receiving recruiter spam.
|
| A long time ago I did once find a job through LinkedIn ads, but
| beyond that it's been a complete waste of time and energy.
|
| At this point, social media, especially of the "professional"
| variety, seems like more trouble than it's worth.
| paxys wrote:
| I work at a large tech company and we are routinely made aware of
| phishing scams on LinkedIn using our name - either fake profiles
| pretending to be an employee or even impersonating one of our
| actual employees.
|
| People have:
|
| * Tried to sell our product to others, despite not being
| affiliated with us
|
| * Acted as recruiters for our company
|
| * Tried to get jobs at other companies pretending to have an
| employment history with us
|
| It's frustrating that we cannot do anything other than report it
| to LinkedIn, who may or may not take it down eventually.
|
| The next time you are answering a LinkedIn DM, remember that
| anyone is allowed to write anything on there. None of it is
| verified.
| stcredzero wrote:
| It used to be, in the pre-internet 20th century, that people
| would exploit mismatches between paper stores of information to
| forge fake identities and game the system.
|
| https://www.edenpress.com/productcart/pc/viewPrd.asp?idprodu...
|
| Now, in 2022, people are just using the mismatches between
| various Big Tech walled gardens to do the same.
|
| _Plus ca change, plus c 'est la meme chose_
| gnicholas wrote:
| I have wondered about fake profiles on LinkedIn. Seems like
| people believe that someone is real and their credentials are
| real just because they have a profile. But it would be easy to
| set up an account with a fake photo, make up an educational and
| employment history, and current employer. None of this is
| verified, AFAICT. Then you just start following/connecting to
| recruiters and others who are Very Online on LinkedIn, to make
| the profile look legit.
| xsmasher wrote:
| Worse than that - you can create a LinkedIn job listing under
| that (unverified) employer.
|
| My last employer got hit by that, and had report the listing to
| LinkedIn support and wait for them to remove it. Meanwhile the
| scammer could use to job listing to collect information from
| targets.
| __derek__ wrote:
| A particularly easy suggestion I first heard on the Risky Biz
| podcast after the reporting about fake CISOs: LinkedIn should
| prominently display profile creation dates.
| metadat wrote:
| This will only create a market for old "used" accounts.
|
| LinkedIn allows you to change your name and profile content
| as often as you wish, and doesn't keep or publicly expose any
| of a profile's past info.
| baxtr wrote:
| "only" seems a bit harsh. It will probably solve some
| problems and create new ones instead, which then again need
| to be solved. But that's the story with any solution to a
| problem.
| metadat wrote:
| Agreed.
| toomuchtodo wrote:
| Online dating apps do selfie verifications or identity
| proofing. LinkedIn could do the same as well. To verify
| someone's identity with a gov ID is about $1-$2 per proofing
| request.
|
| https://stripe.com/identity (only as an example, many vendors
| offering this service)
| wildrhythms wrote:
| How does the Gov ID verification work?
| toomuchtodo wrote:
| https://identity.stripedemos.com/
| Spooky23 wrote:
| There's lots of interesting grifts out there in LinkedIn.
|
| We busted one guy who claimed to work somewhere 20 years ago
| that a colleague and I worked at. We thought he was a a former
| colleague - basically there was a guy named "John Smith" that
| was this guy. It was too long ago to disqualify the guy, so we
| validated his LinkedIn history items carefully and they were
| mostly bogus.
|
| Everything looked legit in the surface. It was like a spy movie
| or something.
| [deleted]
| mh8h wrote:
| I wanted to share the link of a job posting on our company
| website to LinkedIn. It asked if I want to add my work email to
| my profile, just for verification reasons, so that it shows the
| "Is Hiring" ring around my profile photo. I made sure it's
| displayed nowhere in my profile. I also unselected every single
| consent related to using that email address. Less than a week
| later I started receiving recruiter emails in my work address.
| sylens wrote:
| Shouldn't there be an option to verify your employment at a
| company? If you list a company in your profile, you have to
| provide a company email and click a link to prove that you own
| that email address. You could tune this to prompt someone to
| "refresh" the proof once a year or something.
| [deleted]
| laweijfmvo wrote:
| even Blind does this, and that's top-tier trash.
|
| I imagine LinkedIn has no benefit from doing this. It would
| only serve to show how few real employees they have and devalue
| the platform to recruiters.
| cmeacham98 wrote:
| Obviously this won't work for every company, but for Amazon,
| Apple, and similar it seems like the solution is obvious:
| LinkedIn users should be forced to verify an
| @amazon.com/@apple.com/etc email address to claim they are
| currently an employee of those companies.
| chrismarlow9 wrote:
| This is a good thought but only if the company allows you to
| generate a throwaway email, or designates a single email for
| this purpose that potentially forwards to HR (to verify the
| employment). Otherwise this puts a massive target on linkedin
| back for a data breach and opens individual work emails to
| spam. Both would be nasty for credential harvesting (email
| username) and spear phishing.
|
| The single HR email seems like the best option since they would
| be able to retroactively confirm employment even if you've
| left.
| plandis wrote:
| ...and then get spammed on my work email? No thanks!
| tharkun__ wrote:
| Worst idea ever. I have never and will never give LinkedIn (or
| similar platforms) my work email address.
|
| I strictly separate work from personal stuff. Work stuff gets
| my work email. Personal stuff gets my personal email.
|
| Traveling for work and need to book a hotel? Work email. Apple
| Id for work laptop? Work email. New account per employer. Gets
| disassociated and closed before I hand in my laptop. Electronic
| pay slips? Personal email. Health insurance account? Personal
| email. Apple Id for personal laptop? Personal email.
|
| There are things I need or want access to without being
| dependent on my employer.
|
| LinkedIn has nothing to do with my work. It's personal. It's
| about me. I list information about me. It's like a CV. No I
| should not have to update my CV through my work email account
| where my employer has access to information they shouldn't and
| where I can't update it if I no longer work there.
| derefr wrote:
| > No I should not have to update my CV through my work email
| account
|
| That (changing your account to use your work email for sign-
| in) is not what they're suggesting; they're suggesting
| _binding_ the email address as secondary information to your
| account (by sending it a magic-link email you have to click)
| -- like a Keybase verification that you "own" a profile.
| tedunangst wrote:
| And do I trust them to silo this information? Similar
| companies like Facebook and Twitter are a solid 0% in using
| info provided for verification only for verification
| purposes.
| derefr wrote:
| You rhetorical question is... whether you should trust a
| company that already has both your full name, and a list
| of companies you've worked for (because you gave them
| both of those things to enable them to publicly display
| them to people searching for you)... with the information
| of what your corporate email address is?
|
| They already _know_ your corporate email address. They --
| and anyone else who sees the public profile they display
| for you(!) -- has all the information required to deduce
| it. (And privately, they have all the info required to
| not even have to brute-force it -- i.e. they already know
| some of your coworkers ' corporate email addresses, and
| so the format of the username-part of yours.)
|
| The only thing they _don 't_ know, is whether you -- the
| person who claims to have worked for company X, but might
| not actually -- can access that email address.
|
| Is there something scary about them having that
| information, over-and-above what's scary about them being
| able to do what they can do with the information you
| explicitly _did_ choose to give them?
| tharkun__ wrote:
| Exactly my point. I should not require current access to a
| work email account just to update my CV to show that I
| worked somewhere. Or for how long I worked there (like that
| suggestion to "re-verify" periodically).
|
| I don't update my LinkedIn right away for example when I
| change jobs. I usually wait about a year until I put the
| new employer. Why would I accept getting forced, as one of
| the first actions at my new employer, to list where I work?
| derefr wrote:
| Showing that you _worked_ somewhere and showing that you
| _are working_ somewhere are two different things. A work
| email can be used to show that you _are working_
| somewhere. Proving that you _did work_ somewhere (and for
| how long) would require... I don 't know, an income tax
| statement? Like banks ask for -- "proof of income."
|
| IMHO, of the two options, the email is the more
| convenient and less invasive one -- at the expense of not
| always being reachable by the time you need it.
| tharkun__ wrote:
| I understand that it _can_ be used. I am saying that it
| is a bad idea to require that.
|
| Yes sure it is _less_ invasive than the other option you
| gave. I mean income tax statement to show I worked
| somewhere, are you kidding me? To LinkedIn? Showing
| exactly how much I made? Your suggestions are not getting
| better. Less invasive doesn 't mean it's a good idea.
|
| Making the president dictator for 20 years is less bad
| than making him dictator for life. I still like democracy
| better, even if it's not perfect.
| derefr wrote:
| I don't think you've grasped the spirit of what I'm
| saying. In a perfect world, every interaction with a
| service would require exactly as much identity
| verification as is required to entirely, 100% prohibit
| people pretending to be you... but also, people being
| people, they would then voluntarily _avoid interactions_
| which _would necessitate_ giving that proof.
|
| In other words, in a perfect world, the government
| requires LinkedIn and similar services to put users
| through KYC (i.e. demand proof-of-identity+income for
| sign-up)... and poof! These services cease to exist,
| because nobody's going to give them that for only the
| small amount of value LinkedIn provides people.
| CogitoCogito wrote:
| What if the place has no canonical email domain for its
| employees? Or if they don't all receive them? Or if many
| employees are working there as contractors and not
| receiving emails?
|
| The more I think about it, the more corner cases I see
| that make this problematic.
| derefr wrote:
| Like I said, it would be a pure optimization over a more
| rigorous proof-of-identity + proof-of-income path. You
| can always allow the user just fall back to that more-
| rigorous path if they don't have such a verifiable
| address.
| CogitoCogito wrote:
| Linkedin will never require proof of income. That's much
| more intrusive. So no it's not an optimization over
| something that simply never will occur.
|
| I think you may just have to accept that if you want to
| verify an employee, you'll need to call their previous
| employers. This is the way it's always been done.
| derefr wrote:
| > I think you may just have to accept that if you want to
| verify an employee, you'll need to call their previous
| employers
|
| You're talking about "they" as in the people reading the
| CV. Which works fine for the scale individual employers
| operate at.
|
| But the point of this conversation, is what the services
| themselves, dealing with fake profiles _at scale_ ,
| should do. LinkedIn themselves don't make hiring
| decisions; they make money off of how reliable their
| listings are. Their incentive is entirely different than
| the employer's incentive.
|
| By analogy: it's fine to talk about how a given person
| should carry pepper spray with them if they want to avoid
| getting mugged. But what should a _city government_ do to
| make a city a place people want to move to, where people
| generally don 't want to move to cities where they might
| have a high chance of getting mugged?
|
| > Linkedin will never require proof of income. That's
| much more intrusive.
|
| You seem to think we're talking about this being done for
| every company automatically. But my understanding is that
| bots are always trying to impersonate the same top
| companies -- so this requirement would either be for a
| certain whitelist of important employers, or (more
| likely) would be an org setting that the LinkedIn org
| admin for a given company would set (when they're having
| trouble with bots), to _require_ LinkedIn to do extended
| verification for people claiming to specifically be
| employees of _that_ company. Very much like how
| Cloudflare has an "I'm under attack" toggle that forces
| visitors through CAPTCHAs. If your previous employer sets
| that flag... well, that's their fault. Same as it's their
| fault if they aren't willing to give you a reference for
| petty reasons.
| blacksmith_tb wrote:
| I guess they haven't got them all yet, I mean, the consensus
| seems to be that Apple has ~155K employees[1] not 284K (and
| obviously not every Apple employee will have a LinkedIn
| account...)
|
| 1: https://www.statista.com/statistics/273439/number-of-
| employe...
| stormbrew wrote:
| Likely a lot of people just never update their employer on
| linked in after they leave. Especially if they retire. That'd
| be a different kind of problem than bot accounts.
| TazeTSchnitzel wrote:
| I have noticed multiple former colleagues where I work not
| bothering to update their profile when leaving.
| dylan604 wrote:
| I haven't updated my LI profile for quite some time. I don't
| even care enough to login to see exactly what was the last
| update. I do know that a recruiter was emailing me about a
| company that I had already spent time working with and since
| moved on, but was after I quit updating the LI profile. Still
| haven't retired either.
| ipaddr wrote:
| You have double accounts and contractors who officially worked
| someone else claiming employment. Plus former employees who
| never updated
| [deleted]
| raydiatian wrote:
| LinkedIn is such an objective failure. I'm independent and even I
| deleted mine.
|
| You can rest assured they're still handing out our information.
| bushbaba wrote:
| Eh disagree. It's been invaluable for keeping up with former
| colleagues. And finding contacts to assist with business.
| unforeseen9991 wrote:
| Yeah people's contact information changes over the years,
| especially these days. Some people I develop a close enough
| relationship with to exchange personal email accounts, the
| majority I don't.
|
| I'm independent as well and some of my biggest projects have
| been from former people i've worked with reaching out.
| etchalon wrote:
| It's absolutely ridiculous that the administrator for a Company
| Page can't remove a person as an employee from that page.
|
| We have a dozen or more fake employees on our page, plus ex-
| employees who never updated their linkedin, and there's no way
| for me to say, as a person who owns the business, "This person
| does not work here."
|
| Ridiculous.
| ChrisMarshallNY wrote:
| I have someone in UAE that is listed as an employee of one of my
| companies, as an administrative assistant.
|
| The company is in my home, in New York.
|
| I reported the fake profile, but it's still there, listed as an
| employee of mine.
|
| _[UPDATE] Actually, belay that. They seem to finally be gone._
| makestuff wrote:
| Slightly related but there is a fake profile of me on Facebook
| I have been trying to get taken down for months now. It copied
| my profile picture and added several of my mutual friends.
| Facebook just keeps saying the profile doesn't violate their
| guidelines even though my last name is very unique and the
| profile picture makes it blatantly obvious.
| bee_rider wrote:
| Yeah, fake profiles were one of the things that made me just
| start completely ignoring friend requests on Facebook.
| Although I'm one of those grumpy, uninterested/uninteresting
| people who is just on the site to stay in touch with their
| parents and grandparents, so it isn't like I'm in the
| demographic they are trying to grow anyway.
| Brybry wrote:
| I wonder if you DMCA/copyright strike the fake profile for
| using your picture if that would be more effective.
| [deleted]
| hsbauauvhabzb wrote:
| A young (attractive) man was murdered in my country with a
| case dragged out over a period of years, there was a fake but
| active profile using his highly published images under a
| different name. Facebook banned me for continuously reporting
| the profile, in every report I linked multiple articles
| containing the relevant images.
|
| I would suggest you encourage a large volume of contacts to
| report the profile. Funny that you have to game the system to
| achieve a perfectly legitimate result.
| dylan604 wrote:
| >Funny that you have to game the system to achieve a
| perfectly legitimate result.
|
| How does the automated bot know the perfectly legitimate to
| the wholly being scammed?
| derefr wrote:
| I feel like the workflow that happens when you click "flag"
| in social networks has become ossified according to "
| Content Guidelines" in the same way that Level-1 CSR
| scripts are ossified. To actually get one-off (rather than
| rule-based) evaluation of a problem, you need your report
| to not come in from that direction, but from some other
| side-channel, e.g. a viral tweet complaining about the
| problem.
| Firmwarrior wrote:
| Man, I wish we could convince people to just stop using
| these fucking "platforms" and go back to cheap selfhosted
| forums/blogs
|
| Of course a giant faceless low-margin corporation is
| going to do a bad job of moderation. I wish it weren't
| such a big deal when they fail at it
| hsbauauvhabzb wrote:
| They wait for the user to respond, and give them 4 weeks. It's
| silly.
| notacoward wrote:
| > LinkedIn claims that its security systems detect and block
| approximately 96 percent of fake accounts.
|
| In order for that number to mean anything, they'd have to know
| what the total is. It would be more accurate to say that 96% of
| those who are caught at all are caught by LinkedIn themselves
| (presumably the rest by third parties) but that says nothing
| about how many are still in the system ... and that still seems
| to be a lot.
| pfortuny wrote:
| You can do random sampling, though. It can give a good
| estimate. Not saying they are doing it, though.
|
| But you certainly can get a good assessment without knowing the
| total population.
| oersted wrote:
| As in any similar problem: you can sample a reasonably
| representative set of accounts, review them thoroughly by
| manual means, and see how these manual results compare to the
| automatic ones.
|
| They don't need to know what the total is, if they knew the
| problem would be solved.
|
| 96% represents the probability of a correct prediction, not a
| fraction of the total.
| tedunangst wrote:
| No, that would be much less accurate to say. They're not saying
| the other 4% are caught at all.
| notacoward wrote:
| > No, that would be much less accurate to say.
|
| You don't know that. If I was premature in making a guess,
| you were equally premature in contradicting it. What's your
| interpretation? That they meant 96% of the total? I might
| enjoy seeing you explain how that could be true while still
| leaving 600K Amazon/Apple profiles to be cleaned up in a
| special campaign responding to media exposure. Do you think
| it's 96% of what they could have caught by manually examining
| every profile? That's no more supportable than the theory you
| summarily rejected. Your own guesses or assumptions are no
| better than anyone else's.
| [deleted]
| [deleted]
| raydiatian wrote:
| It always seems that the tech companies that make major OSS
| contribs turn into fiestas.
|
| 1. LinkedIn gave us Kafka
|
| 2. Netflix gave us Hystrix
|
| 3. Greatest of all, Facebook, who gave us everything: React,
| PyTorch, Jest
| Macha wrote:
| Apple with LLVM is arguably a bigger contribution than LinkedIn
| with Kafka, and Apple are notoriously stingy with open source.
| I'd have thought their contributions to FreeBSD would be
| Netflix's most notable contributions. No mention of Google with
| Angular, Dart, WebM, AOSP, Guava, Kubernetes, Bazel, Go. At
| this stage Microsoft is also arguably a larger open source
| contributor than LinkedIn or Netflix.
| raydiatian wrote:
| This is all fair. I genuinely didn't know Apple developed
| LLVM, I knew they were heavily involved in early 00's. Can't
| believe I forgot Kubernetes & Angular.
|
| Anyways it's a hot take, you're totally right.
___________________________________________________________________
(page generated 2022-10-20 23:00 UTC)