LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to know
A security researcher has revealed their interaction with a LinkedIn fake job offer scam, detailing how you can stay safe
LinkedIn has emerged as a lucrative hunting ground for cyber criminals in recent years, with threat actors conducting a range of social engineering campaigns centered around fake job offers.
Last year, security company Clear Sky revealed a social engineering campaign using fraudulent LinkedIn identities to trick users into downloading malware with these job offers, for example.
Led by an Iranian threat group, this particular campaign built on techniques first observed being employed by the North Korean Lazarus group.
Now, fresh details on the extent of the threat posed by the Lazarus group have been revealed by Bitdefender Labs. A report from the cybersecurity firm details how one scammer approached a researcher who was able to record the tactics employed in the threat campaign.
The scammer first approached the researcher with an ‘opportunity’ to work on a decentralized cryptocurrency exchange, claiming the final minimal viable product (MVP) was already complete and they would be employed as a front-end developer.
Bitdefender reported that once the target expressed interest in the vacancy, the scammer requested they provide a CV or personal GitHub repository link, which it said could be used to harvest personal data as well as make the offer appear genuine.
After these are supplied, the attacker shares a repository with the MVP or the project as well as a feedback document labelled ‘Candidate Evaluation and Feedback For’, which includes questions that cannot be answered unless the target runs the demo.
Analysis of the heavily obfuscated code revealed that it dynamically loads malicious code from a third-party endpoint. Bitdefender found that the payload is a cross-platform info-stealer engineered to target a range of popular cryptocurrency wallets.
The next payload drops further dependencies designed to ensure persistence on the target system, establish command and control (C2), and avoid detection.
Bitdefender said its analysis of the malware and operational tactics employed by the attacker indicated the attack was part of a larger campaign carried out by the Lazarus Group, a state-sponsored threat actor based in North Korea.
The attackers’ objectives extend beyond data theft, the report claimed, stating the group has been observed targeting victims working in sensitive sectors such as aviation, defense, and nuclear industries with the aim of exfiltrating classified information, proprietary technology, and corporate credentials.
The group have also been recorded targeting enterprises with fake job seeker scams, where hackers posing as remote IT workers based in other parts of the world try to gain entry to businesses in order to establish persistence on their corporate network.
How to protect yourself on LinkedIn
As a professional network, it’s not out of the ordinary to receive job offers via LinkedIn. The platform has an in-built jobs board, allowing enterprises to post vacant positions.
However, when approached by an individual, it’s wise to remain vigilant and be wary of any telltale signs that you may be prey for a cyber criminal.
Bitdefender set out a series of red flags individuals can look out for, including offers with vague descriptions of the role that do not correspond to an existing job posting on the platform.
Suspicious repositories that belong to users with ‘random names’ and lack proper documentation or a long contribution history are also strong indicators that the sender has malicious intentions.
RELATED WHITEPAPER
Finally, users should also look out for spelling errors in any correspondence they have with the suspected scammer, as well as evidence of poor communication such as refusing to provide alternative contact methods.
There are also best practices Bitdefender recommends users can follow to minimize the risk they face of falling for similar scams, such as never running unverified code outside of virtual machines, sandboxes, or online code testing platforms.
MORE FROM ITPRO
- LinkedIn just swerved a lawsuit over AI model training claims
- Why social engineering is a major issue – and how you can stay safe
- A month in the life of a social engineering expert
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victims
News A fake interview process uses coding tests and repo downloads to deliver malware
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
Fake North Korean IT workers are rampant on LinkedIn – security experts warn operatives are stealing profiles to apply for jobs and infiltrate firmsNews The scammers' latest efforts mark a significant escalation in tactics, experts have warned
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
