A series of phishing campaigns are targeting companies in various industries with phony job offers using direct messages on LinkedIn, according to researchers at Proofpoint. The attacker initially makes contact by sending an invitation to the target on LinkedIn with a short message regarding a job opportunity.
Within a week after the target accepts the invitation, the attacker will send a follow-up email with either a link or a PDF attachment that contains embedded URLs. These links take the target to a spoofed version of a real staffing service, which forces the download of either a Word document or a JScript loader. This document or loader will result in the installation of a JScript backdoor known as “More_eggs.”
More_eggs can be used as a downloader for additional malware, but it also has substantial information-gathering capabilities. It’s previously been used by Cobalt Group, a threat actor that primarily goes after financial organizations, although the Proofpoint researchers don’t attribute this campaign to any specific group.
They do, however, believe the actor behind this campaign may be the same one responsible for another phishing campaign revealed earlier this month by Brian Krebs, which targeted Bank Secrecy Act officers at a number of financial institutions.
Despite differences in targeting and the malware used, that campaign used similar PDF attachments which, at one point, contained URLs hosted on the same domain as the one used in the phony jobs campaign.
LinkedIn is one of the most popular platforms for phishing and spear phishing attacks, because users expect to receive unsolicited messages from people they don’t know. New-school security awareness training can teach your employees how to determine if a contact should be avoided and, above all, never to click on links or attachments unless they’re absolutely certain of their legitimacy.
Free Phish Alert Button
Do your users know what to do when they receive a phishing email? KnowBe4's Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! Phish Alert benefits:
- Reinforces your organization’s security culture
- Users can report suspicious emails with just one click
- Incident Response gets early phishing alerts from users, creating a network of “sensors”
- Email is deleted from the user's inbox to prevent future exposure
- Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
Don't like to click on redirected links? Cut & Paste this link in your browser: