Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fake Job Ads. Show all posts

North Korean Hackers Target Crypto Users with Phony Job Offers

 

In an effort to commit cryptocurrency heists, North Korean hackers are exhibiting a "startup mentality," according to a report released on Wednesday by cybersecurity company Proofpoint. 

The Sunnyvale, California-based company claimed that in December, a group they call TA444, which is similar to the notorious hacking gang Lazarus, unleashed a massive wave of phishing assaults against the banking, education, government, and healthcare sectors in the United States and Canada. 

The group's emails adopted strategies that were distinct from the methods researchers had previously connected them with, such as attempts to obtain users' passwords and login information. 

According to the study, "this extensive credential harvesting operation is a variation from standard TA444 activities, which normally include the direct deployment of malware." 

The hackers generated information like job offers and salary modifications to entice targets and employed email marketing tools to get through phishing systems. In addition, they used LinkedIn, a social networking site, to communicate with victims before sending them links to malware, the report further reads. 

According to Proofpoint, the spam wave in December nearly doubled the number of emails the group sent over the whole year.

TA444 has a "startup attitude," according to Greg Lesnewich, senior threat researcher at Proofpoint, and is "trying a variety of infection chains to help grow its revenue streams." 

He claimed that the threat actor "embraces social media as part of their M.O. and quickly ideas new attack tactics." By bringing in movable money, TA444 "leads North Korea's cashflow generation for the leadership." 

North Korea, which is still subject to strict international sanctions, has grown more dependent on cybercrime to fund its illegal weapons programme. 

The astonishing heist of more than $600 million in bitcoin from an online video game network in March was perpetrated by a group with ties to Pyongyang, according to the FBI. 

On Monday, the FBI also declared that the Lazarus Group was in charge of a $100 million theft from Horizon Bridge, a cryptocurrency transfer service run by the American Harmony blockchain, in June. North Korea has stolen bitcoin assets worth $1.2 billion worldwide since 2017, with the majority of that value coming in 2022, as per South Korea's National Intelligence Service, which made the revelation last month. 

The spy service forewarned that Pyongyang was likely to speed up its efforts this year to obtain vital defence and intelligence technology from the South.

North Korean Hackers Create Fake Job Offers to Target Industry Professionals Worldwide

 

ZINC, a sub-division of the notorious North Korean Lazarus hacking group, has been weaponizing open-source software with custom malware capable of data theft, espionage, financial gain and network disruption since June 2022. 

According to Microsoft threat analysts who unearthed a new phishing campaign, the malicious hackers have weaponized a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers to launch malware attacks against organizations in the aerospace, media, IT services, and defense sectors. 

Hackers exploiting social media platforms 

The next time you receive a text on LinkedIn, scan it twice. Microsoft warns that the APT group has been actively employing open-source software infected with trojans to target industry professionals located in India, Russia, the UK, and the USA. 

The hackers pose as job recruiters and connect with individuals of targeted organizations over LinkedIn. Once the victims are convinced to move the conversation over from LinkedIn to WhatsApp, which provides encrypted communication, the hackers moved on to the next step. During the WhatsApp conversation, the targets receive malicious software that allows ZINC to install malware on their systems. 

LinkedIn’s threat prevention and defense team confirmed spotting bogus profiles designed by North Korean hackers mimicking recruiters working at prominent media, defense, and tech firms. It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016. 

Attacking methodology 

According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the malicious KiTTY and PuTTY applications employs a sophisticated technique to ensure that only selected targets are compromised with malware and not others. 

To achieve this, the app installers do not drop malware directly but are installed only when the apps link to a specific IP address and employ login credentials given to the targets by fake recruiters. The malicious actors also employ DLL search order hijacking to install and decrypt a second-stage payload when this key ‘0CE1241A44557AA438F27BC6D4ACA246’ is presented for command and control.

Microsoft has published the full list of IoCs (indicators of compromise) discovered during investigations in their blog post and is urging the cybersecurity community to remain vigilant, given its extensive usage and use of authentic software products. 

"Zinc attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction," the company stated. “Zinc attacks bear many hallmarks of state-sponsored activities, such as heightened operational security, sophisticated malware that evolves over time, and politically motivated targeting."

Scammers are Using Fake Job Listing to Steal Applicants Identities

 

Job hunting during a pandemic has proven to be much harder than in normal times. Threat actors are using phony job advertisements with the motive to steal your identity and use it to commit scams. 

One of the methods scammers employ to tempt people is by advertising unusually generous pay. One such example is of Airport shuttle driver vacancy in which scammers are offering a job that involves picking up passengers for 35 hours a week at an appealing weekly pay rate that works out to more than $100,000 a year. 

But in reality, airports aren't really offering six-figure salaries for shuttle drivers. Instead, the fake ads are scammers’ latest attempt to steal people’s identities and use them to commit fraud, according to recent warnings from the FBI, the Federal Trade Commission, and cybersecurity firms that monitor such cyber frauds. 

The U.S. Secret Service responsible for investigating financial crimes, also acknowledged that it has noticed a “marked increase” in phony job ads seeking to steal people’s personal data, often with the motive of filing fake unemployment insurance claims.

“These fraudsters, they’re like a virus. They continue to mutate. This particular mutation is an emerging threat,” said Haywood Talcove, chief executive of the government division of LexisNexis Risk Solutions. 

Earlier this year in March, LexisNexis discovered around 2,900 ads offering unusually generous pay, using suspicious email domains and requiring that one verify one’s identity upfront. The total of these fake job scams surged to 18,400 by July, and then to 36,350 as of this month. Talcove said these figures are based on a small sample of job ads and that the real number is likely much higher.

According to the U.S. Department of Labor, nearly 2.9% of total workers in America quit their jobs in August which is an all-time-high. Meanwhile, huge numbers of laid-off workers are still seeking out work, making for a historic churn in the labor market. In 2020, the FBI’s Internet Crime Complaint Center data showed 16,012 people were victims of employment scams. 

Some scammers recreate companies’ hiring websites to trick people. One such fake job application site uses Spirit Airlines’ photos, text, font, and color code. The fake site asks applicants to upload a copy of both sides of their driver’s license at the outset of the process and sends them an email seeking more information from a web address that resembles Spirit’s, with an extra “i” (spiiritairline.com). 

Last week, the FBI issued an alert regarding phony websites that scammers design to resemble the state unemployment websites of Illinois, Maryland, Nevada, New Mexico, and Wisconsin. Fraudsters use the sites to steal victims’ private details, according to the FBI. 

To mitigate the risks, the FBI recommends people search the company by its name only. If multiple websites with similar names pop up, that may suggest the job listing is fake. Also, companies typically ask for bank account information after hiring applicants, not before. The FBI is also requesting people to never provide bank details to an employer and to only reveal personal details after verifying the firm's identity.