Searching for a new job? That LinkedIn job offer may be fake

Threat actors use fake job offers to dupe their victims in this attack

LinkedIn on a mobile device

Threat actors have been found impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign using LinkedIn messaging.

These phoney HR employees sent job seekers fake job offers filled with malicious documents intended to deliver data-exfiltrating malware. 

The campaign has since been dubbed “Operation In(ter)ception” and targeted unsuspecting individuals at European and Middle East aerospace and military companies. The attacks took place from September to December 2019.

Victims of Operation In(ter)ception were sent job offers via a LinkedIn message. The offers claimed to come from a well-known company in a relevant sector. Such companies included Collins Aerospace, a major US supplier of aerospace and defense products and General Dynamics.

The document containing the job offer was a password-protected RAR archive containing an LNK file. Upon opening, a PDF showed salary information related to the job, but the PDF was merely a decoy.

Once the victim opened the PDF, a Command Prompt utility created a scheduled task to execute a remote XSL script. 

The XSL script downloaded base64-encoded payloads and decoded them using certutil, a command-line program used to display certification authority (CA) configuration information, backup and restore CA components and verify certificates. 

Rundll32, used for running 32-bit dynamic-link libraries, would then download and run a PowerShell DLL.

“Based on the job titles of the employees initially targeted via LinkedIn, it appears that Operation In(ter)ception targeted technical and business-related information,” researchers explained. Though, “Neither the malware analysis nor the investigation allowed us to gain insight into what exact file types the attackers were aiming for.”

In an interview with Threat Post, Paul Rockwell, head of trust and safety with LinkedIn, said the creation of fake accounts and participation in fraudulent activity “is a violation of our terms of service.” At this time, accounts associated with Operation In(ter)ception have been permanently restricted.

“We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies,” Rockwell added.

“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors,” he continued.

While LinkedIn hasn’t found evidence connecting these attacks to a specific threat actor, Rockwell claims similarities in targeting, development and anti-analysis techniques connect Operation In(ter)ception to the Lazarus group. 

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020