LinkedIn Is A Focal Point For Cyber Crime

Uploaded on 2025-02-12 in TECHNOLOGY-Key Areas-Social Media, FREE TO VIEW

LinkedIn has become a valuable research site for cyber criminals, with threat actors conducting a range of social engineering campaigns, focusing on fake job offers.

In 2024, security company Clear Sky revealed that there was a social engineering campaign that was using fake LinkedIn identities to trick users into downloading malware with job offers. This campaign used techniques first seen being employed by the Lazarus Group, a well-established N. Korean threat actor. 

Now, fresh details on the extent of the threat posed by the Lazarus group have been published by Bitdefender. Their report details how one scammer approached a researcher who was able to record the tactics employed in the threat campaign.

Bitdefender warns of an active campaign by the North Korea-linked Lazarus Group, targeting organisations by capturing credentials and delivering malware through fake LinkedIn job offers.

The active campaign was designed to steal credentials and deliver malware in its environment. The researcher downloaded suspected malicious code in a safe sandbox environment.  From fake job offers and elaborate phishing schemes to scams and even state-sponsored threat actors who prey on people’s career aspirations and trust in professional networks.

An example of the deceptive tactics criminals have been using is a failed "recruitment" operation on LinkedIn, where the attackers made the critical mistake of targeting a Bitdefender researcher, who recognised their malicious intent.

In this scenario, the scam begins with an enticing message: an opportunity to collaborate on a decentralised crypto-currency exchange. While the details are left deliberately vague, the promise of remote work, part-time flexibility, and reasonable pay can lure unsuspecting individuals.  Variations of this scam have also been observed, with projects supposedly related to travel or financial domains.

Once the target expresses interest, the "hiring process" unfolds, with the scammer requesting a CV or even a personal GitHub repository link. Although seemingly innocent, these requests can serve nefarious purposes, such as harvesting personal data or lending a veneer of legitimacy to the interaction. The submitted files provided by the “applicant” are most definitely put to good use by the “recruiter” who can harvest information and use it to further legitimise the conversation with the unsuspecting victim.

After receiving the requested information, the criminal shares a repository containing the "minimum viable product" (MVP) of the project. He also includes a document with questions that can only be answered by executing the demo. At first glance, the code appears harmless. However, closer inspection reveals a heavily obfuscated script that dynamically loads malicious code from a third-party endpoint.

Once deployed, the stealer collects important files corresponding to these extensions while also collecting login data of the used browsers and exfiltrates the information to a malicious IP address that seems to contain other malicious files on the server.  

After exfiltrating login and extension-related data, the JavaScript stealer downloads and executes a Python script that sets the stage for other malicious activities.

Analysis of the malware and operational tactics strongly suggests the involvement of state-sponsored threat actors, specifically those from North Korea. These actors, previously linked to malicious job offers and fake job applications, have ties to groups like the Lazarus Group, also known as APT 38.

Their objectives go beyond personal data theft. By compromising people working in sectors such as aviation, defence, and nuclear industries, Lazurus Group aim to exfiltrate classified information, proprietary technologies, and corporate credentials.  In this case, executing the malware on enterprise devices could grant attackers access to sensitive company data, amplifying the damage.

Bitdefender is warning of the various red flags associated with this campaign, including vague job descriptions, suspicious repositories, and poor communication, to help individuals protect themselves. Users should also look out for spelling errors in any correspondence they have with the suspected scammer, as well as evidence of poor communication such as refusing to provide alternative contact methods.

Bitdefender recommends users can follow to minimise the risk they face of falling for similar scams, such as never running unverified code outside of virtual machines, sandboxes, or online code testing platforms.

Bitdfender   |   Infosecurity Magazine   |  ClearSky   |   CSO Online   |    Security Scorecard   |   ITPro   |   

KBi Media 

Image: Bastian Riccardi

You Might Also Read: 

Spy Agencies Are Hiring Via LinkedIn:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible





 

« AI Love You This Valentine's Day

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

Reblaze Technologies

Reblaze Technologies

Reblaze provides the world’s best security technologies in a cloud-based website security platform.

RiskSense

RiskSense

RiskSense empowers enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Future Technology Systems Company (FutureTEC)

Future Technology Systems Company (FutureTEC)

FutureTEC is a leading Information Technology Solutions Provider, delivering world-class Information Security, Information Management, and Business Solutions.

Udacity

Udacity

Udacity's mission is to train the world’s workforce in the careers of the future. Our programs range from beginner to expert levels and deliver the hands-on skills for real-world expertise.

US Coast Guard Cyber Command

US Coast Guard Cyber Command

US Coast Guard Cyber Command’s focus is to ensure the security of our cyberspace, maintain superiority over our adversaries,and safeguard our Nation’s critical maritime infrastructure.

FourNet

FourNet

FourNet is an award-winning provider of cloud and managed services; we work closely with our clients to enable digital transformation across their organisation.

MyCISO

MyCISO

MyCISO is the World’s first SaaS application that will vastly simplify security management for all.

coc00n

coc00n

coc00n secures the devices of high-value and high-interest individuals against cyber attacks.

Armata Cyber Security

Armata Cyber Security

Armata exists to bring Cyber Security to all people – from home users and SMBs to large enterprises. We believe all users have the right to an affordable yet effective Cyber Security solution.

PRE Security

PRE Security

PRE Security is leading the transition into the next era of AI cybersecurity with a new model: Predict & Prevent.

Metrics that Matter (MTM)

Metrics that Matter (MTM)

Metrics that Matter redefines how organizations approach cybersecurity by offering unprecedented insight into the value of their assets to criminals and tailored action plans to protect.