CompanyStrikers
Sign inTry Strike for free
CompanyStrikers
Try Strike for free
CybersecurityResearch

Rampant scams in LinkedIn

Cesar Cerrudo

10 min read

Rampant scams in LinkedIn

Lately there has been a huge increase in malicious activities at LinkedIn and the bad news is that it seems LinkedIn doesn’t have the right tools to stop them. LinkedIn is becoming one of the most dangerous social networks for professionals.

Recently the FBI issued a warning alerting on crypto related scams on LinkedIn. The article also details the several million fake accounts LinkedIn removes and the millions of spams and scams that are stopped by their automated defenses. This is clearly not enough.

People have known for years about fake LinkedIn profiles and common scams such as fake job offers and phishing attacks by LinkedIn messages. But attacks are becoming more sophisticated, and LinkedIn is not doing a good job at stopping them. Attackers seems to be leveraging latest technologies to make fake profiles more real such as using computed generated profile photos. A recent hack that ended up stealing $540 million in crypto was supposedly originated on a LinkedIn fake job offer.

Blog_Imagen.jpg

Currently you can see many users are complaining about increase in malicious activities: https://www.linkedin.com/posts/graceschi_linkedin-desperately-needs-some-sort-of-verified-activity-6956323054582931456-BTaT/ https://www.linkedin.com/posts/alexandriabellivan_scam-jobsearching-linkedin-activity-6954840160823881729-qup8/ https://www.linkedin.com/posts/davidbowden_cyber-network-linkedin-activity-6955957611489898496-ioKp/ https://www.linkedin.com/posts/yairlifshitz_bitcoin-linkedin-linkedinhelp-activity-6950201766999154688-JwiW/

Some weeks ago, I was targeted with a sophisticated scam in LinkedIn and I used the opportunity for a little research that ended up with interesting results.

On June 16, I got a LinkedIn message from “Kasima Wood”, since I work on cybersecurity it wasn’t difficult for me to detect that this was highly likely a scam. Let’s take a look at the profile .

Looking at Experience, he has only worked at the same company “ALS consultants Ltd” for many years. For Education, it seems he studied at Leeds University Business School. About Activity, he seems to be reposting, liking and commenting regularly on simple stuff. The only uncommon thing at first sight is that he seems to have worked just at one place.

Let's take a look at the company, “ALS consultants Ltd”. It has 17 employees, just a few posts, no details and no website. It starts to look a bit suspicious.

Now let’s see the employees. Looking at the first one “Nordin Bin Mohamad Salleh” we can see that besides working at “ALS consultants Ltd” he is also working at “Als financial consultants”, both companies have similar names but “Als financial consultants” doesn’t have a LinkedIn profile. Then when looking at the rest of the company employees, in almost all of them, their profiles show that they only have worked at “ALS consultants Ltd” and nowhere else. Also they post, comment and like simple stuff.

All of the above quick and simple observations suggest that “ALS consultants Ltd” company and employees profiles are highly probable fake and used for scams.

Captura de Pantalla 2022-09-05 a la(s) 10.36.15.png

Captura de Pantalla 2022-09-05 a la(s) 10.36.50.png

Captura de Pantalla 2022-09-05 a la(s) 10.36.56.png

Captura de Pantalla 2022-09-05 a la(s) 10.36.37.png

Anyway, I thought it was a good opportunity to confirm this was really a scam and to find out what was this all about so next day I replayed to “Kasime Wood”.

Captura de Pantalla 2022-09-05 a la(s) 10.40.51.png

Captura de Pantalla 2022-09-05 a la(s) 10.41.00.png

Then same day I got an email from “Leon Petra Alexandra”

Hello,

Thank you for your email. I hope my mail finds you in good health. Allow me to properly introduce myself, I am Mr. Leon Petra Alexandra and I represent ALS Financial Consultants Ltd. We are a Financial Consultancy company, headquartered in West Yorkshire, United Kingdom. Our web address is www.alsconsults.com

We represent a couple of high-net-worth individuals and Organizations who are looking at investing in viable projects with good ROI (return on investment) on a loan basis. Our investors can invest in any sector, or location and can come in at any stage of the investment.

Basically, what we do is get a potential Investor and a project owner to connect and discuss the possibility of the Investor investing in the Project. They can invest in the range of USD 1,000,000 (1 million United States of America Dollars) to USD 500,000,000 (five hundred million United States of America dollars) on any viable Project(s) presented by your Management after an Independent Review of your Business Model Presentation. They will maintain a Silent/Financial Position on their Business with your Company.

Our investors are only open to debt funding, they do not participate in Equity/JV. Please advise if this meets your Company's Approval before we can link you directly to the right investor for funding. The interest rate is usually 3% with a repayment period of 2-10 years with 1 year grace period.

As the consultant, we do charge a success fee of 1% payable by the project owner after funding by the investor.

Thank you, we await your swift response.

Regards,

Leon Petra Alexandra ALS Financial Consultants Limited 130 Mayo Avenue, Bradford, West Yorkshire, BD5 8HY United Kingdom www.alsconsults.com Email: [email protected] Tel: +44 127 479 2886

To my surprise it seemed well elaborated. I checked the website and it looked like a real company but very simple site without much information. I went to check with UK records and indeed it was real.

After looking at the company documentation it seems it’s just a one person company (no employees) run by an accountant that provide consulting services which doesn’t seem to be doing great businesses. Also by looking at the company address in Google Maps it’s just a regular house but the facade has been obfuscated, not very common.

Blog_Imagen 2.jpg

There were some inconsistencies, this company name was “ALS Financial Consultants LTD” and the name of the company in “Kasima Wood” profile was a bit different, it was “ALS consultants Ltd” also the company logos were different. You can see the logo on www.alsconsults.com and compare with logo in “Kasima Wood” profile.

Captura de Pantalla 2022-09-05 a la(s) 10.47.58.png

It was also suspicious that the email address from “Leon Petra Alexandra” ([email protected]) was from a different domain. By checking WHOIS records it showed that this domain (als-consultants.co.uk) was recently created on 06/02/22 and that also Google LLC was the registrar.

Initially there was no website at als-consultants.co.uk. Some weeks later (while completing this research) I found there was a site, I took a look at it and it was a Wordpress site with directory browsing enabled where directories showed 8/2/2022 as creation date. The new site was a clone of www.alsconsults.com with just one visible difference, the contact email. Some red flags.

Trying to find out more about this “possible scam”, I replayed to the email saying that I was interested and asked how to follow up and got the following from “Leon”:

Hello,

Thank you for responding to my mail, I hope this mail finds you in good health. I want you to send your name and address via email to the Investment Procurement Officer Mr. David Malek and inform him that Mr. Leon Petra Alexandra of ALS Financial Consultants Limited UK asked you to contact him. Ask him to advise you on the next step. Find below his contact details:

Company Name: A.G.F. Investments PTY. Ltd Company website: www.agfinve.com Investor's E-mail address: [email protected] Investor's Name: DAVID MALEK

Kindly contact him immediately and inform me after doing that. Thank you

Leon Petra Alexandra ALS Financial Consultants Limited 130 Mayo Avenue, Bradford, West Yorkshire, BD5 8HY United Kingdom www.alsconsults.com Email: [email protected] Tel: +44 127 479 2886

Interesting, now there is another person from another company involved. This other company “A.G.F. Investments PTY. Ltd” has a website which doesn’t look bad but when looking at the management team it’s just a simple list of names without any other information which looks suspicious for an “investment” company. Looking at domain information it says it was created on 1/31/22, just 5 months ago. It seems it is a young company ?

But looking at the Australian registered companies it seems there is a real company with same name but it’s more than 20 years old. Weird that the domain and website are from this year but the company is more than 20 years old. Also by looking online I couldn’t find almost nothing about this company. After reviewing the company public records I found that the company has a business name “501 RECEPTIONS” so I looked for this business and found that it was an events venue that’s been closed for some years now, but the Australia address listed at www.agfinve.com was nearby (1 mile) “501 RECEPTIONS'' business address. There is something that doesn’t smell good.

I emailed “David Malek” asking for next steps and provided a fake address in the US. On June 20, I got an answer:

Dear Cesar,

We have been properly briefed by Mr Leon Petra Alexandra and we are pleased to do business with you and your company and we sure hope to have a good Joint Venture Partnership or Direct Loan Funding relationship with you and your company. Our Company name is A.G.F. Investments PTY. Ltd and we are located in Victoria, Australia. We fund growth capital investments and loans and we are willing to fund your business plan.

We will be interested in funding any other investment plan you may have on a Joint Venture partnership or Direct Loan basis. Know that you will have the privilege to present to us any viable areas/sector of your country's economy in which we can invest under your management and you will be solely responsible for taking management/operational decisions without our company interference, so we do not restrict you to our preferred areas of investment.

To enable us to proceed, you are advised to send your detailed Business Plan and the exact amount you will need to execute your Business Plan from start to finish directly to ([email protected]) for official records and due process so that our vetting department will consider and review your Business Plan for Approval, after which we will send to you a draft copy of our operational contract agreement which contains the terms and condition for you to go through with your lawyers for your acceptance.

Ensure you copy me in the mail to our Loans application Processing Department. And if you need further information/assistance, do not hesitate to contact me back.

Kind Regards,

Mr. David Malek

This was getting serious. Luckily I had a simple business plan slides (not really detailed) from an old dead project so I did little changes to remove some information and I sent it, I also asked for $15,000,000 since I wanted to have good funding for my project ? Just after sending the email I got the following response:

Attention: Mr Cesar Cerrudo,

We acknowledge receipt of your mail and Business Plan, our team are presently looking into it for review and analyses on its viability and once we are satisfied, we will Approve your Business Plan for funding.

Your request for US$15,000,000 is noted and possible so long as it is sufficient to actualize your business plan from start to finish once your business plan is Approved.

We will revert back to you no later than Friday this week to let you know the result of your business plan review, due diligence and analysis.

Yours Faithfully John Sanger

Great to hear my request is possible! It seems now a different person got involved, which seems to be the Head of Loans Processing if we can believe information on agfinve.com site.

Coincidentally same date “Kasima Wood” sent me a new message: It seems the guys weren’t in sync or just dealing with many “investments opportunities” at the same time.

Captura de Pantalla 2022-09-05 a la(s) 10.53.33.png

After 4 days I emailed “John Sanger” asking for feedback trying to show that I was eager to get approved to get the money. But answer took 3 more days:

Attention: Mr Cesar Cerrudo

Having received your Loan Application and Business Plan and after review and analysis, We are pleased to inform you that we have concluded the vetting process of your Loan request and after due diligence, we are Satisfied and your Loan application is Approved. The contract is for the total sum of US$15,000,000.00

Attached is the draft copy of our Joint Venture Loan Contract Agreement and it is open for a five years period at the first instance, you are to go through it with your Lawyers carefully and upon your acceptance of the terms and conditions therein, inform us and we shall take the necessary steps to have it signed & sealed and sent back to you for your final endorsement and legalize your part.

In the mean time, you are advised to send to us your Valid photo ID and a proof of Address with your name on it (phone or Electricity Bill). Acknowledge receipt of this mail and attached document.

Yours Faithfully John Sanger

That was great news, I didn’t imagine that getting $15,000,000 was so easy I just needed to sign the contract! The email had a pdf file attached (I made sure it wasn’t malicious) which seemed like a real and professional contract.

All the time I wanted to figure out how this would end up, what was the goal of these scammers. I thought maybe they will request an upfront payment of the “success fee” or other “commissions” but no, so far they requested my Email and Address, now they are requesting “Valid photo ID and a proof of Address with your name on it (phone or Electricity Bill)”. At this time I decided to not follow up anymore as I would have to create some fake ID and bills which I wasn’t sure how that would be used by the scammers. I just answered the last email that I will look at the contract and get back. I didn’t get any answer after that, they probably thought I realized about the scam.

When I looked at the different profiles that were employees of fake company ALS consultants Ltd I found one profile has one connection shared with my network that resulted to be a friend of mine, so I asked him if that profile sent any message and he said: yes but I never replied. I asked him to share the message:

“Hello xxx:

Thank you for accepting my request. We represent private Investors, that are looking for great projects. With this in mind, we are looking for clients that offer exciting opportunities in start-up or expansion.

Therefore, we seek to introduce a reputable investment company that is currently expanding its Investment portfolio globally by offering debt financing to Existing and Startup companies for business/project executions and expansion.

Kindly provide us with your valid email address so that we can send a mail to explain more. Thank you”

It was very similar to the one I got.

I have enough proof to conclude that this was a really well elaborated scam. After this I decided to report as scam the company profile to LinkedIn so the company profile and all the fake accounts that were linked could be removed. A few minutes after I report the company profile, LinkedIn said that everything was fine:

Captura de Pantalla 2022-09-05 a la(s) 10.58.28.png

I don’t know how LinkedIn checks for fake profiles but in this case it’s clear it’s not working well. LinkedIn needs to improve its fake profile and scams detection otherwise it would continue being the most dangerous social network for professionals.

After finishing writing this, I tried again to stop this scam giving LinkedIn another chance, so I looked at the fake company profiles and reported 10 of these profiles as Fraud/Scam and 5 of them as Fake accounts (actually they are fake profiles doing scams but you have different options when reporting).

Until now LinkedIn has not removed any of the profiles. I wonder why LinkedIn doesn’t remove fake profiles, it could be because they create engagement and drive revenue from ads visualizations, interactions, etc? Just guessing but with all available technology and resources it’s weird that LinkedIn is doing such a poor job at preventing and stopping scams.

As a LinkedIn Premium (paid) user I feel disappointed and unprotected because LinkedIn is exposing me to unnecessary threats and is not blocking them even if I take the time to research and manually reporte them. I’m thinking about canceling my LinkedIn subscription if the service is not improved to keep fake accounts and scams out of the platform.

Subscribe to our newsletter and get our latest features and exclusive news.