Searching for a new job? That LinkedIn job offer may be fake

Threat actors use fake job offers to dupe their victims in this attack

LinkedIn on a mobile device

Threat actors have been found impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign using LinkedIn messaging.

These phoney HR employees sent job seekers fake job offers filled with malicious documents intended to deliver data-exfiltrating malware. 

The campaign has since been dubbed “Operation In(ter)ception” and targeted unsuspecting individuals at European and Middle East aerospace and military companies. The attacks took place from September to December 2019.

Victims of Operation In(ter)ception were sent job offers via a LinkedIn message. The offers claimed to come from a well-known company in a relevant sector. Such companies included Collins Aerospace, a major US supplier of aerospace and defense products and General Dynamics.

The document containing the job offer was a password-protected RAR archive containing an LNK file. Upon opening, a PDF showed salary information related to the job, but the PDF was merely a decoy.

Once the victim opened the PDF, a Command Prompt utility created a scheduled task to execute a remote XSL script. 

The XSL script downloaded base64-encoded payloads and decoded them using certutil, a command-line program used to display certification authority (CA) configuration information, backup and restore CA components and verify certificates. 

Rundll32, used for running 32-bit dynamic-link libraries, would then download and run a PowerShell DLL.

“Based on the job titles of the employees initially targeted via LinkedIn, it appears that Operation In(ter)ception targeted technical and business-related information,” researchers explained. Though, “Neither the malware analysis nor the investigation allowed us to gain insight into what exact file types the attackers were aiming for.”

In an interview with Threat Post, Paul Rockwell, head of trust and safety with LinkedIn, said the creation of fake accounts and participation in fraudulent activity “is a violation of our terms of service.” At this time, accounts associated with Operation In(ter)ception have been permanently restricted.

“We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies,” Rockwell added.

“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors,” he continued.

While LinkedIn hasn’t found evidence connecting these attacks to a specific threat actor, Rockwell claims similarities in targeting, development and anti-analysis techniques connect Operation In(ter)ception to the Lazarus group. 

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022