Searching for a new job? That LinkedIn job offer may be fake

Threat actors use fake job offers to dupe their victims in this attack

LinkedIn on a mobile device

Threat actors have been found impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign using LinkedIn messaging.

These phoney HR employees sent job seekers fake job offers filled with malicious documents intended to deliver data-exfiltrating malware. 

The campaign has since been dubbed “Operation In(ter)ception” and targeted unsuspecting individuals at European and Middle East aerospace and military companies. The attacks took place from September to December 2019.

Victims of Operation In(ter)ception were sent job offers via a LinkedIn message. The offers claimed to come from a well-known company in a relevant sector. Such companies included Collins Aerospace, a major US supplier of aerospace and defense products and General Dynamics.

Advertisement - Article continues below

The document containing the job offer was a password-protected RAR archive containing an LNK file. Upon opening, a PDF showed salary information related to the job, but the PDF was merely a decoy.

Once the victim opened the PDF, a Command Prompt utility created a scheduled task to execute a remote XSL script. 

The XSL script downloaded base64-encoded payloads and decoded them using certutil, a command-line program used to display certification authority (CA) configuration information, backup and restore CA components and verify certificates. 

Rundll32, used for running 32-bit dynamic-link libraries, would then download and run a PowerShell DLL.

Advertisement - Article continues below

“Based on the job titles of the employees initially targeted via LinkedIn, it appears that Operation In(ter)ception targeted technical and business-related information,” researchers explained. Though, “Neither the malware analysis nor the investigation allowed us to gain insight into what exact file types the attackers were aiming for.”

In an interview with Threat Post, Paul Rockwell, head of trust and safety with LinkedIn, said the creation of fake accounts and participation in fraudulent activity “is a violation of our terms of service.” At this time, accounts associated with Operation In(ter)ception have been permanently restricted.

Advertisement - Article continues below

“We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies,” Rockwell added.

“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors,” he continued.

While LinkedIn hasn’t found evidence connecting these attacks to a specific threat actor, Rockwell claims similarities in targeting, development and anti-analysis techniques connect Operation In(ter)ception to the Lazarus group. 

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

Best antivirus for Windows 10

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

Is it time to put Intel Outside?

10 Jul 2020