LinkedIn Messaging Sends Job Offers With Malware Targeting Critical Industries
Published: October 14, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Over 600 million people belong to LinkedIn, the popular social network where job seekers and business professionals connect. Launched in 2003, the website sees 303 million active monthly users, many of them job seekers. It was recently discovered that the company’s messaging service was hacked, and many hopeful recruits received fake job offers that included malware attachments. Spear-phishing emails were the method of attack, and malware-infused .PDF attachments lured recipients to open them for salary and job details. The hacking group focused its attention on critical industries overseas, including two US companies, Collins Aerospace and General Dynamics, suppliers of aerospace and military defense products.
Security experts believe the goal behind the hack is unleashing data-stealing malware for espionage purposes. It’s believed the hackers behind the attacks may be linked to Lazarus Group, a North Korean-linked cyberthreat group. Dubbed “Operation In(ter)ception,” ESET researchers say the attacks “were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware.” In addition, ESET found “…the custom malware used in Operation In(ter)ception hasn’t been previously documented.”
Spear-phishing attacks are highly effective since they target victims directly by name and/or title, adding legitimacy to the emails and their content. They also rely on social engineering tactics, which are ways to trick a victim into divulging sensitive information or take an action they wouldn’t otherwise do. Socially engineered methods take advantage of human nature and emotional reactions, like being thrilled to get a job offer, inducing the recipient to open the email and take action. Since many cyberattacks look to steal as much data as possible from targets, there are ways for everyday users to limit their exposure to their own data theft.
Keep personal information posted online, including social media sites like LinkedIn and Facebook, to a minimum. Hackers troll these websites for PII (personally identifiable information) that can be used for socially engineered attacks.
Email phishing awareness should always be the first step to evaluating the validity of an email. Remember, the source isn’t always whom they say they are. Just because an email claims to be from your bank, it isn’t necessarily so. Some experts suggest considering all email sources as suspect since “better safe than sorry.”
Beware of links and attachments in an email. The links may go to fake websites designed to steal data, and attachments can be malware-filled. Whenever possible, call the sender to validate that links and attachments are legitimate before acting on them.
Keep all software, including apps, immediately patched and up to date with the latest versions available.
Also if you haven’t done so already, use anti-virus software solutions on all devices.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com