LinkedIn Is A Focal Point For Cyber Crime

Uploaded on 2025-02-12 in TECHNOLOGY-Key Areas-Social Media, FREE TO VIEW

LinkedIn has become a valuable research site for cyber criminals, with threat actors conducting a range of social engineering campaigns, focusing on fake job offers.

In 2024, security company Clear Sky revealed that there was a social engineering campaign that was using fake LinkedIn identities to trick users into downloading malware with job offers. This campaign used techniques first seen being employed by the Lazarus Group, a well-established N. Korean threat actor. 

Now, fresh details on the extent of the threat posed by the Lazarus group have been published by Bitdefender. Their report details how one scammer approached a researcher who was able to record the tactics employed in the threat campaign.

Bitdefender warns of an active campaign by the North Korea-linked Lazarus Group, targeting organisations by capturing credentials and delivering malware through fake LinkedIn job offers.

The active campaign was designed to steal credentials and deliver malware in its environment. The researcher downloaded suspected malicious code in a safe sandbox environment.  From fake job offers and elaborate phishing schemes to scams and even state-sponsored threat actors who prey on people’s career aspirations and trust in professional networks.

An example of the deceptive tactics criminals have been using is a failed "recruitment" operation on LinkedIn, where the attackers made the critical mistake of targeting a Bitdefender researcher, who recognised their malicious intent.

In this scenario, the scam begins with an enticing message: an opportunity to collaborate on a decentralised crypto-currency exchange. While the details are left deliberately vague, the promise of remote work, part-time flexibility, and reasonable pay can lure unsuspecting individuals.  Variations of this scam have also been observed, with projects supposedly related to travel or financial domains.

Once the target expresses interest, the "hiring process" unfolds, with the scammer requesting a CV or even a personal GitHub repository link. Although seemingly innocent, these requests can serve nefarious purposes, such as harvesting personal data or lending a veneer of legitimacy to the interaction. The submitted files provided by the “applicant” are most definitely put to good use by the “recruiter” who can harvest information and use it to further legitimise the conversation with the unsuspecting victim.

After receiving the requested information, the criminal shares a repository containing the "minimum viable product" (MVP) of the project. He also includes a document with questions that can only be answered by executing the demo. At first glance, the code appears harmless. However, closer inspection reveals a heavily obfuscated script that dynamically loads malicious code from a third-party endpoint.

Once deployed, the stealer collects important files corresponding to these extensions while also collecting login data of the used browsers and exfiltrates the information to a malicious IP address that seems to contain other malicious files on the server.  

After exfiltrating login and extension-related data, the JavaScript stealer downloads and executes a Python script that sets the stage for other malicious activities.

Analysis of the malware and operational tactics strongly suggests the involvement of state-sponsored threat actors, specifically those from North Korea. These actors, previously linked to malicious job offers and fake job applications, have ties to groups like the Lazarus Group, also known as APT 38.

Their objectives go beyond personal data theft. By compromising people working in sectors such as aviation, defence, and nuclear industries, Lazurus Group aim to exfiltrate classified information, proprietary technologies, and corporate credentials.  In this case, executing the malware on enterprise devices could grant attackers access to sensitive company data, amplifying the damage.

Bitdefender is warning of the various red flags associated with this campaign, including vague job descriptions, suspicious repositories, and poor communication, to help individuals protect themselves. Users should also look out for spelling errors in any correspondence they have with the suspected scammer, as well as evidence of poor communication such as refusing to provide alternative contact methods.

Bitdefender recommends users can follow to minimise the risk they face of falling for similar scams, such as never running unverified code outside of virtual machines, sandboxes, or online code testing platforms.

Bitdfender   |   Infosecurity Magazine   |  ClearSky   |   CSO Online   |    Security Scorecard   |   ITPro   |   

KBi Media 

Image: Bastian Riccardi

You Might Also Read: 

Spy Agencies Are Hiring Via LinkedIn:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible





 

« AI Love You This Valentine's Day
Indian Banks Aim To Reduce Online Fraud »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Copenhagen FinTech

Copenhagen FinTech

Copenhagen FinTech is a centre for R&D and innovation in the Danish finance IT sector. Focus areas include cyber security and payments platforms.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

National Information Technology Development Agency (NITDA) - Nigeria

National Information Technology Development Agency (NITDA) - Nigeria

The National Information Technology Development Agency (NITDA) is committed to implementing the Nigerian National Information Technology Policy.

OSIRIS Lab - NYU Tandon

OSIRIS Lab - NYU Tandon

The Offensive Security, Incident Response & Internet Security Lab (OSIRIS) is a security research environment where students analyze and understand how attackers take advantage of real systems.

Defence Intelligence

Defence Intelligence

Defence Intelligence is an information security firm specializing in advanced malware protection.

Block Armour

Block Armour

Block Armour is a Mumbai and Singapore based venture focused on harnessing emerging technologies to counter growing Cybersecurity challenges in bold new ways.

iONLINE

iONLINE

iONLINE delivers high quality IT services and solutions to businesses in Azerbaijan.

Blaick Technologies

Blaick Technologies

Blaick is an Israeli cyber-security company which deploys proprietary Artificial Intelligence threats detection technology for early prevention of online cyber crime.

IQ4 - Cybersecurity Workforce Alliance (CWA)

IQ4 - Cybersecurity Workforce Alliance (CWA)

Cybersecurity Workforce Alliance, a division of iQ4, is an organization comprised of a diverse range of professionals dedicated to the development of the cybersecurity workforce.

Nucleon Security

Nucleon Security

Nucleon Endpoint Detection and Response EDR is the most effective way to protect the value created by your organization against any threat.

ECHO Project

ECHO Project

The main objective of ECHO is to strengthen the cyber defence of the European Union, enhancing Europe’s technological sovereignty through effective and efficient multi-sector collaboration.

Glocomp Systems

Glocomp Systems

Glocomp Systems is one of Malaysia’s premier ICT infrastructure distributor offering a comprehensive portfolio of solutions including cybersecurity and privacy.

Creative Destruction Lab (CDL)

Creative Destruction Lab (CDL)

Creative Destruction Lab is a nonprofit organization that delivers an objectives-based program for massively scalable, seed-stage, science- and technology-based companies.

IPKeys Cyber Partners

IPKeys Cyber Partners

IPKeys Cyber Partners, together with the IPKeys Power Partners unit, provide Cyber Security and CIP Compliance for utilities, grid operators and public safety organization across the USA.

DC Two

DC Two

DC Two are a locally operated and supported Australian data centre, offering a suite of vertically integrated services covering every part of the data centre and cloud technology stack.

Cyrex

Cyrex

Cyrex is a Web3 security and development company. Our mastery over decentralized applications, smart contracts and blockchain will keep you secure across Web3.