Looking for a new job is always stressful. Looking for a new job in the middle of a viral pandemic is decidedly more stressful, and to make matters even worse, some total jerks are taking advantage of the situation to sneak malware into the inboxes of desperate job seekers. This week, security firm eSentire published an advisory to warn LinkedIn users of a new phishing attack being used by hackers to infect devices with backdoor Trojans.
The fake job offer scheme was reportedly hatched by a hacking group that goes by the name Golden Chickens, and the fileless backdoor Trojan horse is appropriately named more_eggs. The scheme involves taking the title from a user’s profile, such as Associate Editor, and then sending them a job offer with a zip file titled “Associate Editor position” attached. If you open the file, more_eggs will be installed on your device without any warning. The Trojan is capable of downloading malicious plugins and giving hackers direct access to your system.
It’s certainly a clever scheme, and eSentire reports that the Golden Chickens are selling more_eggs under a malware-as-a-service (MaaS) arrangement to cybercriminals that want to hack unsuspecting job hunters. Once a machine has been infiltrated, hackers can install even more malware, from ransomware to credential stealers.
Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire, explains the seriousness of the Trojan:
- It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.
- Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.
- Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.
“Since this spearphishing attack was disrupted, the TRU team cannot know with certainty what the end game is for this incident,” the eSentire team explains in the report on its website. “What we do know is that this current activity mirrors an eerily similar campaign which was reported in February 2019, where U.S. retail, entertainment and pharmaceutical companies, which offer online shopping, were targeted. The threat actors went after employees of these companies with fake job offers, cleverly using the job title listed on their LinkedIn profiles, in their communications to the employees. Similar to the current incident, they also used malicious email attachments and if the target clicked on the attachment, they got hit by more_eggs.”
LinkedIn offered Gizmodo the following statement when reached for comment about the attacks:
Millions of people use LinkedIn to search and apply for jobs every day — and when job searching, safety means knowing the recruiter you’re chatting with is who they say they are, that the job you’re excited about is real and authentic, and how to spot fraud. We don’t allow fraudulent activity anywhere on LinkedIn. We use automated and manual defenses to detect and address fake accounts or fraudulent payments. Any accounts or job posts that violate our policies are blocked from the site.
As always, be careful when receiving correspondence of any kind from an unfamiliar source. You might be tempted to open an email or a private message without a second thought when the header is promising you a chance at employment, but now is not the time to let your guard down when it comes to phishing attacks.