Pyongyang's Phishing with Job Offers

phishing job offersAn attack campaign with possible ties to North Korea’s Lazarus Group targeted aerospace and military companies in Europe and the Middle East with spear phishing attacks late last year, according to researchers at ESET. The campaign, which the researchers call “Operation In(ter)ception,” used social engineering attacks on LinkedIn to trick employees into opening malware-laden documents.

“To initiate contact, they approached the targets with fictitious job offers using LinkedIn’s messaging feature,” the researchers write. “In order to appear credible, the attackers posed as representatives of well-known, existing companies in the aerospace and defense industry. For each of the targeted companies we investigated, the attackers had created a separate fake LinkedIn account: one impersonating an HR manager from Collins Aerospace (formerly Rockwell Collins), a major US supplier of aerospace and defense products; the other posing as an HR representative of General Dynamics, another large US-based corporation with a similar focus. “

Interestingly, while the attackers’ primary goal was espionage, ESET observed one case in which the attackers used a victim’s email account in an attempt to conduct a business email compromise (BEC) scam. While BEC attacks are usually associated with criminals rather than state-sponsored groups, North Korean cyber actors often conduct financially motivated attacks to generate revenue for their heavily sanctioned regime.

“Among the victim’s emails, the attackers found communication between the victim and a customer regarding an unresolved invoice,” the researchers explain. “They followed up the conversation and urged the customer to pay the invoice, however, to a different bank account than previously agreed, to which the customer responded with some inquiries. As part of this ruse, the attackers registered an identical domain name to that of the compromised company, but on a different top-level domain, and used an email associated with this fake domain for further communication with the targeted customer. The attackers did not respond to the customer’s inquiries and continued to urge them to pay. Instead of paying the invoice, however, the targeted customer reached out to the correct email address of the victim for assistance, thwarting the attackers’ attempt. The victim recognized something was amiss and reported the communication as an incident.”

Sometimes it’s espionage, and sometimes it’s fraud. Recognizing the motive can help recognize the attack. New-school security awareness training can provide your employees with the knowledge they need to thwart targeted social engineering attacks.

ESET has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews