It is even more diabolical that cyber threat actors target job hunters. Especially those who are out of work and running behind in their bills. Recently, a sub-set within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Lazarus Group also known by other names such as Guardians of Peace or Whois Team is a legal hacker group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, Western researchers have attributed many cyberattacks to them between 2010 and 2021.
Researchers at Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a "shift in the persistent actor's tactics." Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a track record of orchestrating cryptocurrency theft via social engineering. Recently, investigators implicated the threat actor to a new macOS malware family called ObjCShellz that's assessed to be a late-stage payload delivered in connection with another macOS malware known as RustBucket. "Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). The threat actor then moves successful communications with targets to other platforms. A spokesman said past campaigns mounted by the hacking crew involved sending malicious attachments directly or embedding links to pages hosted on legitimate websites like GitHub.
Due to the quick detection and deletion of these payloads may have forced Sapphire Sleet to flesh out its own network of websites for malware distribution. "Several malicious domains and subdomains host these websites, which entice recruiters to register for an account," the company added. "The websites are password-protected to impede analysis."
While LinkedIn may be a hub of the business world, the platform's profile validation and identity protection features are lackluster. Fake job listings are created each day, tricking unsuspecting users into sharing information and potentially spending thousands of dollars on technology that will be shipped (and stolen). Here is a step-by-step process of how scammers are leveraging LinkedIn:
- A Fake Job Listing is Created: LinkedIn allows any user, regardless of the age of the account or its previous activity, to post a job as any company. Anyone with an internet connection and an email address can sign up for a LinkedIn account and post a job from Microsoft, Google, Facebook. LinkedIn's structure then links these entirely false job listings to the targeted company's official LinkedIn page a security oversight that the company has been aware of for years but have taken no action to remedy.
- Fake Profiles of Real Team Members are Created: The scammers then create false lookalike profiles on social media platforms and messaging services by downloading public profile pictures of the targeted company's team members, spoofing their job titles and personal descriptions to fool anyone that is not deeply familiar with the company.
- Scammers Steal Applicant Data and Technology: Once the scammers have someone "hooked" with a fake job offer they either email the applicant or start a chat on an encrypted messaging platform like Wire, telling the applicant to purchase high-end electronics like smartphones, tablets, and laptops that they will then be reimbursed for. Before reimbursement, the applicant must send in their devices to be "preloaded with software." That's when all communication with fake representatives from the company will disappear, with these bad actors getting away with a collection of pricey technology and moving on to their next victim.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings