LinkedIn has emerged as a lucrative hunting ground for cyber criminals in recent years, with threat actors conducting a range of social engineering campaigns centered around fake job offers.
Last year, security company Clear Sky revealed a social engineering campaign using fraudulent LinkedIn identities to trick users into downloading malware with these job offers, for example.
Led by an Iranian threat group, this particular campaign built on techniques first observed being employed by the North Korean Lazarus group.
Now, fresh details on the extent of the threat posed by the Lazarus group have been revealed by Bitdefender Labs. A report from the cybersecurity firm details how one scammer approached a researcher who was able to record the tactics employed in the threat campaign.
The scammer first approached the researcher with an ‘opportunity’ to work on a decentralized cryptocurrency exchange, claiming the final minimal viable product (MVP) was already complete and they would be employed as a front-end developer.
Bitdefender reported that once the target expressed interest in the vacancy, the scammer requested they provide a CV or personal GitHub repository link, which it said could be used to harvest personal data as well as make the offer appear genuine.
After these are supplied, the attacker shares a repository with the MVP or the project as well as a feedback document labelled ‘Candidate Evaluation and Feedback For’, which includes questions that cannot be answered unless the target runs the demo.
Analysis of the heavily obfuscated code revealed that it dynamically loads malicious code from a third-party endpoint. Bitdefender found that the payload is a cross-platform info-stealer engineered to target a range of popular cryptocurrency wallets.
The next payload drops further dependencies designed to ensure persistence on the target system, establish command and control (C2), and avoid detection.
Bitdefender said its analysis of the malware and operational tactics employed by the attacker indicated the attack was part of a larger campaign carried out by the Lazarus Group, a state-sponsored threat actor based in North Korea.
The attackers’ objectives extend beyond data theft, the report claimed, stating the group has been observed targeting victims working in sensitive sectors such as aviation, defense, and nuclear industries with the aim of exfiltrating classified information, proprietary technology, and corporate credentials.
The group have also been recorded targeting enterprises with fake job seeker scams, where hackers posing as remote IT workers based in other parts of the world try to gain entry to businesses in order to establish persistence on their corporate network.
How to protect yourself on LinkedIn
As a professional network, it’s not out of the ordinary to receive job offers via LinkedIn. The platform has an in-built jobs board, allowing enterprises to post vacant positions.
However, when approached by an individual, it’s wise to remain vigilant and be wary of any telltale signs that you may be prey for a cyber criminal.
Bitdefender set out a series of red flags individuals can look out for, including offers with vague descriptions of the role that do not correspond to an existing job posting on the platform.
Suspicious repositories that belong to users with ‘random names’ and lack proper documentation or a long contribution history are also strong indicators that the sender has malicious intentions.
RELATED WHITEPAPER
Finally, users should also look out for spelling errors in any correspondence they have with the suspected scammer, as well as evidence of poor communication such as refusing to provide alternative contact methods.
There are also best practices Bitdefender recommends users can follow to minimize the risk they face of falling for similar scams, such as never running unverified code outside of virtual machines, sandboxes, or online code testing platforms.
MORE FROM ITPRO
- LinkedIn just swerved a lawsuit over AI model training claims
- Why social engineering is a major issue – and how you can stay safe
- A month in the life of a social engineering expert
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn faces lawsuit amid claims it shared users' private messages to train AI modelsNews LinkedIn faces a lawsuit in the US amid allegations that it shared Premium members' private messages to train AI models.
-
Phishing campaign targets developers with fake CrowdStrike job offersNews Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike
-
Hackers are using a LinkedIn recruitment scam to snare unsuspecting jobseekersNews Taking a leaf out of North Korean threat actors’ playbook, Iranian hackers are tricking jobseekers using fake job offers
-
LinkedIn fined €310 million for GDPR breachesNews The social networking platform has accepted the ruling and will implement changes to its ad tracking processes
-
LinkedIn backtracks on AI training rules after user backlash
News UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
Hackers use LinkedIn to target UK nuclear waste firmNews Radioactive Waste Management said attackers have leveraged LinkedIn in a spear phishing campaign
-
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a weekNews Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets
