LinkedIn Corporation may not have a face (or name) for the individuals responsible for circumventing many of their security measures to mine a significant amount of user data since last May, but they certainly have a case against them. The professional social network noticed suspicious patterns of activity and discovered that thousands of fake profiles had been created by automated software programs, somehow avoiding the various safeguards (e.g. CAPTCHA, daily activity limits, etc.) meant to weed out such “bots.” These artificial accounts were being used to copy, or “scrape” information from hundreds of thousands of bona fide member profiles, presumably for less-than-noble purposes such as identity theft, phishing, or other spammy practices. The bogus profiles were traced back to a mass of accounts on Amazon’s cloud-computing platform, and as part of its suit filed against these Doe Defendants last week, LinkedIn “intends to file motions to expedite…discovery requests” that it will be serving on Amazon Web Services, in hopes that they will fork over the names of the offending accountholders. (Amazon.com, itself, is not being charged.)Interestingly, the fact that no specific defendants are named here does not put a damper on such a lawsuit. It’s been done (and won) before, and continuing with the investigation and legal proceedings—even with as-yet-unidentified defendants—serves numerous purposes. It disrupts a botnet’s activities, since its operators are probably running scared, knowing that the authorities are on to them. At the same time, the lawsuit intimidates future cybercriminals from targeting the plaintiff’s sites, since they see that these digital crimes are being taken seriously. Legal action also incentivizes third parties to cooperate with the investigation, since it involves actual subpoenas, and not just (oft-ignored) letters and voicemails to a company’s in-house counsel. Finally, if and when the perpetrators are identified, a strong case has already been built up against them, ready to wallop the defendants as soon as they hit the courtroom.
The individuals ultimately responsible for the illegal data extraction used so many different tactics to evade LinkedIn’s security measures, that the company believes they must have been aware of the various restriction levels built into the site’s technology. Not only do these practices violate LinkedIn’s User Agreement, they also break state and federal laws relating to cyber-fraud (and possibly copyright laws, as well), making this infraction a pretty big deal. However, the botnet behind this case may very well be a “zombie army” made up of unsuspecting individuals’ computers, which have been infected by a virus or otherwise compromised. So, even if the physical infrastructure is taken out, unless the actual hackers are caught, they could, theoretically, pull off such a scheme again. LinkedIn has already disabled the fake profiles and implemented additional security measures on its site. Given the extensive usage of its networking tools amongst today’s professionals and recruiters, though, LinkedIn’s engineers (and those of other companies like it) certainly have their work cut out for them in terms of making their systems more secure; after all, malicious technology advances right along with the more honorable kind.
The individuals ultimately responsible for the illegal data extraction used so many different tactics to evade LinkedIn’s security measures, that the company believes they must have been aware of the various restriction levels built into the site’s technology. Not only do these practices violate LinkedIn’s User Agreement, they also break state and federal laws relating to cyber-fraud (and possibly copyright laws, as well), making this infraction a pretty big deal. However, the botnet behind this case may very well be a “zombie army” made up of unsuspecting individuals’ computers, which have been infected by a virus or otherwise compromised. So, even if the physical infrastructure is taken out, unless the actual hackers are caught, they could, theoretically, pull off such a scheme again. LinkedIn has already disabled the fake profiles and implemented additional security measures on its site. Given the extensive usage of its networking tools amongst today’s professionals and recruiters, though, LinkedIn’s engineers (and those of other companies like it) certainly have their work cut out for them in terms of making their systems more secure; after all, malicious technology advances right along with the more honorable kind.