With unemployment at formidable levels and the economy doing weird, covid-related reversals, I think we can all agree that the job hunt is a pretty hard slog right now. Amidst all that, you know what workers really don’t need? A LinkedIn inbox full of malware. Yeah, they don’t need that at all.
Nevertheless, that is apparently what some may be getting, thanks to one group of cyber-assholes.
Security firm eSentire recently published a report detailing how hackers connected to a group dubbed “Golden Chickens” (I’m not sure who came up with that one) have been waging a malicious campaign that preys on job-seekers’ desire for the perfect position.
These campaigns involve tricking unsuspecting business professionals into clicking on job offers that are titled the same thing as their current position. A message, slid into a victim’s DMs, baits them with an “offer” that is really rigged with a spring-loaded .zip file. Inside that .zip is a fileless malware called “more_eggs” that can help hijack a targeted device. Researchers break down how the attack works:
…If the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.
G/O Media may get a commission
Whoever they are, the “Chickens” probably aren’t conducting these attacks themselves. Instead, they are pedaling what would be classified Malware-as-a-service (MaaS)—which means that other cybercriminals purchase the malware from them in order to conduct their own hacking campaigns. The report notes that it is unclear who exactly is behind the recent campaign.
A backdoor trojan like “more_eggs” is basically a program that allows other, more destructive kinds of malware to be loaded into the system of a device or computer. Once a criminal has used the trojan to gain a toehold into a victim’s system, they can then deploy other stuff like ransomware, banking malware, or credential stealers, to wreak more extensive havoc on their victim.
Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire, called the activity “particularly worrisome” given how the compromise attempts could pose a “formidable threat to businesses and business professionals.”
“Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times,” McLeod said.
We reached out to LinkedIn to see what their take on this whole situation is and will update this story if they reply. Considering that employers don’t usually just offer you a job, you would think this campaign wouldn’t be too hard to avoid. Yet people click on random stuff on the internet all the time—usually out of curiosity, if nothing else. Suffice it to say, if you get a job offer that seems too good to be true, probably best to steer clear.
UPDATE, 9:12 p.m. When reached by email, a LinkedIn spokesperson provided the following statement:
“Millions of people use LinkedIn to search and apply for jobs every day — and when job searching, safety means knowing the recruiter you’re chatting with is who they say they are, that the job you’re excited about is real and authentic, and how to spot fraud. We don’t allow fraudulent activity anywhere on LinkedIn. We use automated and manual defenses to detect and address fake accounts or fraudulent payments. Any accounts or job posts that violate our policies are blocked from the site.”