The FIN6 hacking group, also known as Skeleton Spider, has been spotted impersonating job seekers to target recruiters with malware.
Contacting recruiters and HR departments on sites such as LinkedIn or Indeed, the group is submitting convincing-looking job resumes containing phishing links. These links lead to the applicant's 'personal website', said to contain their resume. The links are given in a 'johnsmith[.]com format.
"The faulty links are crafted in a way that evades detection and blocking, requiring recipients to type them on their browsers manually," said Andrew Costis, engineering manager of the adversary research team at AttackIQ.
"The domains are registered anonymously, and come equipped with environmental fingerprinting and behavioral checks to ensure that only the target can open the landing pages."
In a new report by DomainTools, researchers identified a number of these domains hosted on AWS infrastructure, including bobbyweisman[.]com, emersonkelly[.]com, and davidlesnick[.]com.
"It is likely the actors behind these domains use disposable or fraudulent email addresses, anonymous or foreign IP addresses, and prepaid or stolen payment methods to create and maintain these accounts," the researchers said.
"Combined with the use of resume-themed domain names and impersonation techniques, this registration strategy allows FIN6 to keep their infrastructure alive just long enough to carry out active phishing campaigns while avoiding rapid takedown by security researchers or registrars."
The researchers said that, when accessed, the sites often display a professional-looking fake resume, lulling recruiters into a false sense of security.
Meanwhile, to help them stay under the radar, the attackers use traffic filtering techniques to control who can access the malicious content, with only users appearing to be on residential IP addresses and using common Windows-based browsers allowed to download the malicious document.
If the visitor is coming via a known VPN service, cloud infrastructure like AWS or corporate security scanners, the site instead delivers a harmless plain-text version of the resume.
DomainTools said that one of the group's favorite payloads is more_eggs, a stealthy JavaScript-based backdoor developed by the Venom Spider group, also known as Golden Chickens, and offered as malware-as-a-service.
The more_eggs malware facilitates credential theft, system access and follow-on attacks, including the use of ransomware. And FIN6 has been using this malware since at least 2018, with Visa warning in 2019 that the group was targeting e-commerce firms, placing skimming malware on their checkout pages.
"What makes FIN6 a particularly dangerous group is the length of time they've survived and the breadth of different attack tactics they've been observed implementing," said Costis.
"The group has compromised point-of-sale systems to conduct financial fraud, expanded into ransomware attacks, and most recently used social engineering campaigns to deliver malware-as-a-service JavaScript backdoors for credential theft. This vast pool of experience makes them especially threatening to unprotected data."
-
Research shows the financial benefits of implementing zero trustNews With zero trust shown to drastically reduce the number of cyber incidents, insurers are catching on and lowering premiums
-
DocuSign doubles down on IAM with partner program evolutionThe company's latest channel initiative introduces new specializations, tailored tracks, and go-to-market support for partners
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
