Searching for a new job? That LinkedIn job offer may be fake

Threat actors use fake job offers to dupe their victims in this attack

LinkedIn on a mobile device

Threat actors have been found impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign using LinkedIn messaging.

These phoney HR employees sent job seekers fake job offers filled with malicious documents intended to deliver data-exfiltrating malware. 

The campaign has since been dubbed “Operation In(ter)ception” and targeted unsuspecting individuals at European and Middle East aerospace and military companies. The attacks took place from September to December 2019.

Victims of Operation In(ter)ception were sent job offers via a LinkedIn message. The offers claimed to come from a well-known company in a relevant sector. Such companies included Collins Aerospace, a major US supplier of aerospace and defense products and General Dynamics.

The document containing the job offer was a password-protected RAR archive containing an LNK file. Upon opening, a PDF showed salary information related to the job, but the PDF was merely a decoy.

Once the victim opened the PDF, a Command Prompt utility created a scheduled task to execute a remote XSL script. 

The XSL script downloaded base64-encoded payloads and decoded them using certutil, a command-line program used to display certification authority (CA) configuration information, backup and restore CA components and verify certificates. 

Rundll32, used for running 32-bit dynamic-link libraries, would then download and run a PowerShell DLL.

“Based on the job titles of the employees initially targeted via LinkedIn, it appears that Operation In(ter)ception targeted technical and business-related information,” researchers explained. Though, “Neither the malware analysis nor the investigation allowed us to gain insight into what exact file types the attackers were aiming for.”

In an interview with Threat Post, Paul Rockwell, head of trust and safety with LinkedIn, said the creation of fake accounts and participation in fraudulent activity “is a violation of our terms of service.” At this time, accounts associated with Operation In(ter)ception have been permanently restricted.

“We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies,” Rockwell added.

“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors,” he continued.

While LinkedIn hasn’t found evidence connecting these attacks to a specific threat actor, Rockwell claims similarities in targeting, development and anti-analysis techniques connect Operation In(ter)ception to the Lazarus group. 

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021
Hackers used SonicWall zero-day flaw to plant ransomware
ransomware

Hackers used SonicWall zero-day flaw to plant ransomware

30 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021