We have been tracking an organized spearfishing attack occurring on LinkedIn since early October 2015. Since many of my contacts weren’t aware, I decided to publish this quick post.
This is a simple attack where a “bad actor” creates a fake LinkedIn page with actual connections. Pretending to be a recruiter, they encourage applicants to visit a special CV submission page which infects your computer with malware.
- Always be weary of new connections on LinkedIn offering something interesting. Just because you have common connections doesn’t mean they are real or trustworthy.
- When applying for a job, always visit the company website directly by entering the URL yourself (not clicking on a link) and visit the careers section.
- Be careful and don’t be too trusting on the internet
In the past, scammers had incomplete profiles with major language issues. In this attack, it seems the profiles are complete with full (fake) job history, education and even LinkedIn group memberships.
A quick analysis of a handful of these profiles reveals much of the content is stolen from valid pages. Images are stolen from the internet. Career summaries are stolen from valid LinkedIn users. Job history is stolen from actual job postings.
A series of these profiles are created and used to endorse each other making these profiles look authentic and trustworthy.
Interestingly this attack seems to match activity discovered by Cylance in December 2014 in file called Operation Cleaver
The Cylance report lists domains being faked and we see some of those re-used in this attack. Domains include:
To be clear there are other domains being used but these are examples of domains seen in the Cylance attack and the newer one.
The moral of the story is be careful. Treat your CV and personal information as valuable assets and protect them. Don't blindly trust anyone on the internet regardless of how "connected" they seem to be to your network. Don't trust endorsements.