LinkedIn Job Candidates Targeted by Malware
Those using LinkedIn for job searches should be beware of a new malware attack. The initial point of contact is LinkedIn direct messages and the message comes in the form of a job offer that is similar to the recipient’s current job. Follow up emails are frequently sent to the recipient’s work email address in hopes of infecting a work computer. The malware campaign deploys More_eggs malware and targets professionals looking for new careers.
LinkedIn is used to deliver phishing emails containing fake jobs. Patient hackers impersonating headhunters send a series of direct messages via legitimate looking LinkedIn profiles. The emails establish trust and build up data for a spear phishing attack. The ultimate goal however, is to deliver malware to the readers’ device.
LinkedIn is an online treasure trove of personal data. Job Seekers are vulnerable and likely to have every relevant bit of information about themselves in clear view of the public giving them the best chance of being found in searches. The valuable data includes public facing contact information. Given a working email address and contact phone number, hackers can farm quite a bit more of information about a candidate by connecting it with profiles from other social media sites and public records.
The malware campaign pushes fake job offers using LinkedIn direct messages and emails. Trust is established with multiple interactions while the necessary information to build a spear phishing attack vector is collected about the job seeker. During this phase, the hacker can glean more information about the job candidate like personal email address and physical address. The hacker impersonates a representative of a staffing company and sometimes directs the job candidate to a spoofed website. In other variations, the hacker sends a direct message or email with malicious attachments. The imposter website hosts malware downloader capabilities and attempts to compromise the readers device.
What is More_eggs?
More_eggs is a JScript downloader and malware. It has capabilities to gather files and data from the infected machine. In this cyber security attack More_eggs is along with VenomKit malware and Taurus Builder.
What is a Spear Phishing Attack?
You may be familiar with the term phishing attack. Spear phishing is the same type of attack, but it is more refined version that is generally delivered to smaller groups of victims. A phishing attack is any type of cyber attack, typically an email campaign that is used to gather information from the recipient. Spear phishing attacks are targeted directly at a known recipient. The contact details may have come from scraping data from social media profiles, employer email addresses, or tax data. Spear phishing and phishing scams work the same way. IN both cases the goal is acquire credit card and financial information. In the case of spear phishing, more information about the recipient is already collected prior to the commencement of the attack.
How More_eggs Malware Works
More_eggs malware delivery has variations to throw off victims and security experts. Contact begins with the target victim begins with a direct message from a LinkedIn profile. The initial message is the standard, default LinkedIn connection request, “Hi [Name], please add me to your professional network” or another short message.A follow up email may be sent a few days later to the recipient’s work email reminding them of the interaction and offer. The email may be harmless and without a malicious attachment or link. The email may contain a MS Word or .pdf attachment or simply links to a spoofed website. Opening either one can launch the malware downloader and begin the infection. The intention is to get the malware onto a work computer.
In other variations, the hacker attempts to lure the reader into downloading a malicious Microsoft Word file or a pdf attachment. If the target has macros enabled and opens a Word Doc, More_eggs malware is downloaded and executed on the victim’s machine. The .pdf attachment contains links to the spoofed website which will also initiate a More_eggs malware download.
Taurus Builder, VenomKit, and More_eggs are all used to deploy malware in this attack.