Hackers are using LinkedIn to target people looking for jobs with fake offers

With the lockdown and the pandemic striking the job market hard globally, many people seeking jobs have been turning to LinkedIn to find positions they can apply for. And hackers being, well, hackers, have been targeting these job seekers with a new phishing method.

According to a report in Gizmodo that quotes research published by eSentire, which is a cybersecurity solutions provider, hackers have been using a rather sophisticated campaign to target users' devices.

You may be interested in

MobilesTablets Laptops

7% OFF

Apple iPhone 15 Pro Max

• Black Titanium
• 8 GB RAM
• 256 GB Storage

₹148,900₹159,900

Buy now

23% OFF

Samsung Galaxy S23 Ultra 5G

• Green
• 12 GB RAM
• 256 GB Storage

₹115,999₹149,999

Buy now

Google Pixel 8 Pro

• Obsidian
• 12 GB RAM
• 128 GB Storage

₹106,998

Check details

Apple iPhone 15 Plus

• Black
• 6 GB RAM
• 128 GB Storage

₹87,900

Check details

34% OFF

Xiaomi Pad 6

• Mist Blue
• 6 GB RAM
• 128 GB Storage

₹26,299₹39,999

Buy now

55% OFF

Lenovo Tab M10 5G

• Abyss Blue
• 6 GB RAM
• 128 GB Storage

₹20,999₹47,000

Buy now

32% OFF

Realme Pad 2

• Imagination Grey
• 6 GB RAM
• 128 GB Storage

₹19,790₹28,999

Buy now

Honor Pad X9

• Gray
• 4 GB RAM
• 128 GB Storage

₹14,999

Check details

21% OFF

Acer Swift Go SFG14 41 NX KG3SI 002 Laptop

• Pure Silver
• 8 GB RAM
• 512 GB SSD

₹58,990₹74,999

Buy now

39% OFF

Acer Aspire 5 A515 57G Laptop

• Gray
• 16 GB RAM
• 512 GB SSD

₹54,949₹89,999

Buy now

22% OFF

Acer Aspire 3 A315 24 NX KDESI 004 Laptop

• Silver
• 8 GB RAM
• 512 GB SSD

₹33,499₹42,999

Buy now

39% OFF

Asus VivoBook 15 X515JA BQ322WS Laptop

• Transparent Silver
• 8 GB RAM
• 512 GB SSD

₹31,490₹51,990

Buy now

eSentire said that a particular hacking group has been targeting business professionals on LinkedIn with fake job offers to try and infect their devices with remote code execution malware.

Remote code execution malware gives hackers remote access and control over the victim's device, in this case, the computer/laptop. And allows them to send, receive, launch and even delete files without the victim knowing.

Reports state that these hackers are connected to a larger group of cybercriminals calls the Golden Chickens.

So, how are they doing this to LinkedIn users?

To start off, hackers send a direct message (DM) to a user with a job offer. This job offer comes accompanied by a Zip file or has an attachment of some sort with the extension .zip. This .zip file is the hidden malware that helps hackers get into the user's device.

As eSentire explained with an example, “If the LinkedIn member's job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end).”

Once the unsuspecting victim opens the .zip file he/she initiates the “stealthy installation of the fileless backdoor, more_eggs”.

A backdoor trojan like “more_eggs” is a program that allows other, more destructive kinds of malware to be loaded into the system. Once this trojan has been used on a device, hackers can use this to deploy other malware like ransomware, banking malware, credential stealers etc.

So, these Golden Chickens are not conducting these attacks themselves. They are instead selling something that's described as MaaS (Malware-as-a-service). Other cybercriminals can buy the malware from them to run their own hacking campaigns. sSentire said in the report that it is unclear who is exactly heading this campaign.

Senior Director of the Threat Response Unit (TRU) for eSentire, Rob McLeod, called the activity “particularly worrisome” especially in a time like this when thousands of people are looking for jobs online.

How can one avoid an attack like this?

For starters, keep an eye out for what the offer is labeled as. Like eSentire said if the position you are looking up was Senior Account Executive—International Freight, the .zip file might come labeled as Senior Account Executive—International Freight position. Be mindful of additions like these and spelling errors.

If the job offer seems too good to be true, it's best to avoid it. And just to be safe, don't open any of these .zip files you receive on DMs.

Gizmodo reached out to LinkedIn regarding this and this is what they had to say:

“Millions of people use LinkedIn to search and apply for jobs every day — and when job searching, safety means knowing the recruiter you're chatting with is who they say they are, that the job you're excited about is real and authentic, and how to spot fraud. We don't allow fraudulent activity anywhere on LinkedIn. We use automated and manual defenses to detect and address fake accounts or fraudulent payments. Any accounts or job posts that violate our policies are blocked from the site.”