The FIN6 hacking group, also known as Skeleton Spider, has been spotted impersonating job seekers to target recruiters with malware.
Contacting recruiters and HR departments on sites such as LinkedIn or Indeed, the group is submitting convincing-looking job resumes containing phishing links. These links lead to the applicant's 'personal website', said to contain their resume. The links are given in a 'johnsmith[.]com format.
"The faulty links are crafted in a way that evades detection and blocking, requiring recipients to type them on their browsers manually," said Andrew Costis, engineering manager of the adversary research team at AttackIQ.
"The domains are registered anonymously, and come equipped with environmental fingerprinting and behavioral checks to ensure that only the target can open the landing pages."
In a new report by DomainTools, researchers identified a number of these domains hosted on AWS infrastructure, including bobbyweisman[.]com, emersonkelly[.]com, and davidlesnick[.]com.
"It is likely the actors behind these domains use disposable or fraudulent email addresses, anonymous or foreign IP addresses, and prepaid or stolen payment methods to create and maintain these accounts," the researchers said.
"Combined with the use of resume-themed domain names and impersonation techniques, this registration strategy allows FIN6 to keep their infrastructure alive just long enough to carry out active phishing campaigns while avoiding rapid takedown by security researchers or registrars."
The researchers said that, when accessed, the sites often display a professional-looking fake resume, lulling recruiters into a false sense of security.
Meanwhile, to help them stay under the radar, the attackers use traffic filtering techniques to control who can access the malicious content, with only users appearing to be on residential IP addresses and using common Windows-based browsers allowed to download the malicious document.
If the visitor is coming via a known VPN service, cloud infrastructure like AWS or corporate security scanners, the site instead delivers a harmless plain-text version of the resume.
DomainTools said that one of the group's favorite payloads is more_eggs, a stealthy JavaScript-based backdoor developed by the Venom Spider group, also known as Golden Chickens, and offered as malware-as-a-service.
The more_eggs malware facilitates credential theft, system access and follow-on attacks, including the use of ransomware. And FIN6 has been using this malware since at least 2018, with Visa warning in 2019 that the group was targeting e-commerce firms, placing skimming malware on their checkout pages.
"What makes FIN6 a particularly dangerous group is the length of time they've survived and the breadth of different attack tactics they've been observed implementing," said Costis.
"The group has compromised point-of-sale systems to conduct financial fraud, expanded into ransomware attacks, and most recently used social engineering campaigns to deliver malware-as-a-service JavaScript backdoors for credential theft. This vast pool of experience makes them especially threatening to unprotected data."
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
