LinkedIn Is A Focal Point For Cyber Crime
LinkedIn has become a valuable research site for cyber criminals, with threat actors conducting a range of social engineering campaigns, focusing on fake job offers.
In 2024, security company Clear Sky revealed that there was a social engineering campaign that was using fake LinkedIn identities to trick users into downloading malware with job offers. This campaign used techniques first seen being employed by the Lazarus Group, a well-established N. Korean threat actor.
Now, fresh details on the extent of the threat posed by the Lazarus group have been published by Bitdefender. Their report details how one scammer approached a researcher who was able to record the tactics employed in the threat campaign.
Bitdefender warns of an active campaign by the North Korea-linked Lazarus Group, targeting organisations by capturing credentials and delivering malware through fake LinkedIn job offers.
The active campaign was designed to steal credentials and deliver malware in its environment. The researcher downloaded suspected malicious code in a safe sandbox environment. From fake job offers and elaborate phishing schemes to scams and even state-sponsored threat actors who prey on people’s career aspirations and trust in professional networks.
An example of the deceptive tactics criminals have been using is a failed "recruitment" operation on LinkedIn, where the attackers made the critical mistake of targeting a Bitdefender researcher, who recognised their malicious intent.
In this scenario, the scam begins with an enticing message: an opportunity to collaborate on a decentralised crypto-currency exchange. While the details are left deliberately vague, the promise of remote work, part-time flexibility, and reasonable pay can lure unsuspecting individuals. Variations of this scam have also been observed, with projects supposedly related to travel or financial domains.
Once the target expresses interest, the "hiring process" unfolds, with the scammer requesting a CV or even a personal GitHub repository link. Although seemingly innocent, these requests can serve nefarious purposes, such as harvesting personal data or lending a veneer of legitimacy to the interaction. The submitted files provided by the “applicant” are most definitely put to good use by the “recruiter” who can harvest information and use it to further legitimise the conversation with the unsuspecting victim.
After receiving the requested information, the criminal shares a repository containing the "minimum viable product" (MVP) of the project. He also includes a document with questions that can only be answered by executing the demo. At first glance, the code appears harmless. However, closer inspection reveals a heavily obfuscated script that dynamically loads malicious code from a third-party endpoint.
Once deployed, the stealer collects important files corresponding to these extensions while also collecting login data of the used browsers and exfiltrates the information to a malicious IP address that seems to contain other malicious files on the server.
After exfiltrating login and extension-related data, the JavaScript stealer downloads and executes a Python script that sets the stage for other malicious activities.
Analysis of the malware and operational tactics strongly suggests the involvement of state-sponsored threat actors, specifically those from North Korea. These actors, previously linked to malicious job offers and fake job applications, have ties to groups like the Lazarus Group, also known as APT 38.
Their objectives go beyond personal data theft. By compromising people working in sectors such as aviation, defence, and nuclear industries, Lazurus Group aim to exfiltrate classified information, proprietary technologies, and corporate credentials. In this case, executing the malware on enterprise devices could grant attackers access to sensitive company data, amplifying the damage.
Bitdefender is warning of the various red flags associated with this campaign, including vague job descriptions, suspicious repositories, and poor communication, to help individuals protect themselves. Users should also look out for spelling errors in any correspondence they have with the suspected scammer, as well as evidence of poor communication such as refusing to provide alternative contact methods.
Bitdefender recommends users can follow to minimise the risk they face of falling for similar scams, such as never running unverified code outside of virtual machines, sandboxes, or online code testing platforms.
Bitdfender | Infosecurity Magazine | ClearSky | CSO Online | Security Scorecard | ITPro |
Image: Bastian Riccardi
You Might Also Read:
Spy Agencies Are Hiring Via LinkedIn:
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible
