LinkedIn sues 100 information scrapers after technical safeguard fail

Botnet harvests user data for spam and profit

Hacker

Microsoft-owned LinkedIn has filed a lawsuit in California against 100 unnamed individuals who circumvented its security technology to harvest data from its network of 400 million people.

The lawsuit claims that the individuals used a specially created botnet that has been collecting data from the site since December 2015 and created thousands of bogus accounts to facilitate the attack. They also used an unnamed "whitelisted third-party cloud service provider" to speed up the information retrieval.

"LinkedIn expects to be able to identify the Doe Defendants by serving third-party discovery on various ISPs and networks," the court documents state [PDF]. "These entities are in possession of information that will help LinkedIn identify the Doe Defendants. LinkedIn intends to file a motion to expedite these discovery requests."

The lawsuit details some of the security procedures LinkedIn has in place to stop just this sort of attack. There's a lot of valuable information on the site and the last thing Microsoft wants is to have its members' identities compromised or to see them suffocated in spam.

LinkedIn's first line of defense is FUSE, a tool that limits the number of activities that can be carried out by any one member. This is backed up by Quicksand, a semi-AI system that looks for cases of high levels of activity on a user's account, which is most likely being done by software rather than a fleshy human.

On an IP level, LinkedIn uses two systems to monitor against data theft. Its Sentinel software monitors individual IPs that could be dodgy, while Org Block goes after strings of IP addresses that are known to be associated with bad actors online.

Despite all these protections, the data thieves managed to get around them all by setting up systems that could start multiple bogus accounts – bypassing the CAPTCHA mechanism designed to stop this. The crooks made a huge number of data requests and fed this information back to their servers, without tipping off LinkedIn until well after the event.

It remains to be seen how successful the company will be at backtracing these attacks through third-party ISPs – a notoriously difficult process. In the meantime, it would be worth checking out what you have online at the site and maybe adjusting that accordingly.

Microsoft had no comment on the snafu at time of publication. ®


Biting the hand that feeds IT © 1998–2017