Searching for a new job? That LinkedIn job offer may be fake

Threat actors use fake job offers to dupe their victims in this attack

LinkedIn on a mobile device

Threat actors have been found impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign using LinkedIn messaging.

These phoney HR employees sent job seekers fake job offers filled with malicious documents intended to deliver data-exfiltrating malware. 

The campaign has since been dubbed “Operation In(ter)ception” and targeted unsuspecting individuals at European and Middle East aerospace and military companies. The attacks took place from September to December 2019.

Victims of Operation In(ter)ception were sent job offers via a LinkedIn message. The offers claimed to come from a well-known company in a relevant sector. Such companies included Collins Aerospace, a major US supplier of aerospace and defense products and General Dynamics.

The document containing the job offer was a password-protected RAR archive containing an LNK file. Upon opening, a PDF showed salary information related to the job, but the PDF was merely a decoy.

Once the victim opened the PDF, a Command Prompt utility created a scheduled task to execute a remote XSL script. 

The XSL script downloaded base64-encoded payloads and decoded them using certutil, a command-line program used to display certification authority (CA) configuration information, backup and restore CA components and verify certificates. 

Rundll32, used for running 32-bit dynamic-link libraries, would then download and run a PowerShell DLL.

“Based on the job titles of the employees initially targeted via LinkedIn, it appears that Operation In(ter)ception targeted technical and business-related information,” researchers explained. Though, “Neither the malware analysis nor the investigation allowed us to gain insight into what exact file types the attackers were aiming for.”

In an interview with Threat Post, Paul Rockwell, head of trust and safety with LinkedIn, said the creation of fake accounts and participation in fraudulent activity “is a violation of our terms of service.” At this time, accounts associated with Operation In(ter)ception have been permanently restricted.

“We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies,” Rockwell added.

“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors,” he continued.

While LinkedIn hasn’t found evidence connecting these attacks to a specific threat actor, Rockwell claims similarities in targeting, development and anti-analysis techniques connect Operation In(ter)ception to the Lazarus group. 

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
Hackers sell $38 million in gift cards on Russian marketplace
hacking

Hackers sell $38 million in gift cards on Russian marketplace

7 Apr 2021
Personal data of 533 million Facebook users found on hacking forum
data protection

Personal data of 533 million Facebook users found on hacking forum

5 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021