Hackers are using LinkedIn to target people looking for jobs with fake offers
Hackers have been using a rather sophisticated campaign to target users’ devices by breaking in with a backdoor Trojan and then injecting more malicious malware.
With the lockdown and the pandemic striking the job market hard globally, many people seeking jobs have been turning to LinkedIn to find positions they can apply for. And hackers being, well, hackers, have been targeting these job seekers with a new phishing method.
According to a report in Gizmodo that quotes research published by eSentire, which is a cybersecurity solutions provider, hackers have been using a rather sophisticated campaign to target users’ devices.
eSentire said that a particular hacking group has been targeting business professionals on LinkedIn with fake job offers to try and infect their devices with remote code execution malware.
Remote code execution malware gives hackers remote access and control over the victim’s device, in this case, the computer/laptop. And allows them to send, receive, launch and even delete files without the victim knowing.
Reports state that these hackers are connected to a larger group of cybercriminals calls the Golden Chickens.
So, how are they doing this to LinkedIn users?
To start off, hackers send a direct message (DM) to a user with a job offer. This job offer comes accompanied by a Zip file or has an attachment of some sort with the extension .zip. This .zip file is the hidden malware that helps hackers get into the user’s device.
As eSentire explained with an example, “If the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end).”
Once the unsuspecting victim opens the .zip file he/she initiates the “stealthy installation of the fileless backdoor, more_eggs”.
A backdoor trojan like “more_eggs” is a program that allows other, more destructive kinds of malware to be loaded into the system. Once this trojan has been used on a device, hackers can use this to deploy other malware like ransomware, banking malware, credential stealers etc.
So, these Golden Chickens are not conducting these attacks themselves. They are instead selling something that’s described as MaaS (Malware-as-a-service). Other cybercriminals can buy the malware from them to run their own hacking campaigns. sSentire said in the report that it is unclear who is exactly heading this campaign.
Senior Director of the Threat Response Unit (TRU) for eSentire, Rob McLeod, called the activity “particularly worrisome” especially in a time like this when thousands of people are looking for jobs online.
How can one avoid an attack like this?
For starters, keep an eye out for what the offer is labeled as. Like eSentire said if the position you are looking up was Senior Account Executive—International Freight, the .zip file might come labeled as Senior Account Executive—International Freight position. Be mindful of additions like these and spelling errors.
If the job offer seems too good to be true, it’s best to avoid it. And just to be safe, don’t open any of these .zip files you receive on DMs.
Gizmodo reached out to LinkedIn regarding this and this is what they had to say:
“Millions of people use LinkedIn to search and apply for jobs every day — and when job searching, safety means knowing the recruiter you’re chatting with is who they say they are, that the job you’re excited about is real and authentic, and how to spot fraud. We don’t allow fraudulent activity anywhere on LinkedIn. We use automated and manual defenses to detect and address fake accounts or fraudulent payments. Any accounts or job posts that violate our policies are blocked from the site.”