It seems like I write this at least once, if not twice, a week: Developers and hackers constantly have to outdo each other. Developers solve one problem; hackers beat it. Developers solve it again, and hackers beat it again. And round and round it goes. A LinkedIn phishing campaign is the newest threat.
Hackers Hit LinkedIn
It seems like nothing is off limits anymore. After a year of the pandemic that saw unemployment at record highs, hackers are now hitting the inboxes of people who are just trying to find employment. It’s the epitome of kicking someone when they’re down.
Cybersecurity firm eSentire has issued a warning about a hacking group that launched a spearphishing campaign on LinkedIn.
Fake job offers lead to a backdoor trojan. This gives the hackers control over the users’ computers and data. Not only are they unemployed, now they are losing everything connected to their computers. During the pandemic, this is their lifeline.
eSentire’s Threat Response Unit (TRU) was able to put together how the LinkedIn phishing campaign worked. A user of the social media site would get a malicious zips file in an email offering a job position that matched up with their LinkedIn profile.
Once a user opened the zip file, the more_eggs backdoor was launched. It could download even more malicious plug-ins, giving the hackers access to the user’s computer. The backdoor was then sold to other hackers, leading to all sorts of malware.
“What is particularly worrisome about the more_eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals,” said Sr. Director Rob McLeod of the TRU.
These three elements are:
- Runs on Windows to lessen chances of being identified by antivirus
- User’s desired job in email increases likelihood malicious zip file will be opened.
- The unemployed are more desperate during the pandemic.
Researchers also noted the stealth mess of the LinkedIn phishing campaign. The hackers carried this out by “abusing legitimate Windows processes” that it feeds through script files. Because it uses malware-as-a-service (Maas), it appears “to be sparse and selective in comparison to typical malspam distribution networks.”
Who Are the Hackers?
At the time of writing, researchers have not identified the hackers. Yet, they have been able to determine that known hackers – FIN6, Cobalt Group, and Evilnum – were patrons of the Maas.
It’s also not know what the end goal is of the LinkedIn phishing campaign, yet it is similar two an early phishing campaign.
“What we do know is that this current activity mirrors an eerily similar campaign which was reported in February 2019, where U.S. retail, entertainment, and pharmaceutical companies, which offer online shopping, were targeted,” explained the eSentire warning.
“The threat actors went after employees of these companies with fake job offers, cleverly using the job title listed on their LinkedIn profiles in their communications to the employees. Similar to the current incident, they also used malicious email attachments, and if the target clicked on the attachment, they got hit by more_eggs.”
Whether or not you are actively looking for employment on LinkedIn, be forewarned of this phishing campaign and be vigilant in opening employment-related emails from unknown senders.
Read on to learn about a LinkedIn loophole that allowed users to post fake jobs on any page.