Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Linkedin. Show all posts
X
Apple lazarus Linkedin macOS malware Microsoft X

Lazarus Gang Targets Job Seekers to Install Malware

Lazarus Gang Targets Job Seekers to Install Malware

North Korean hackers responsible for Contagious Interview are trapping job seekers in the cryptocurrency sector by using the popular ClickFix social-engineering attack strategy. They aimed to deploy a Go-based backdoor— earlier undocumented— known as GolangGhost on Windows and macOS systems. 

Hackers lure job seekers

The latest attack, potentially a part of a larger campaign, goes by the codename ClickFake Interview, according to French cybersecurity company Sekoia. Aka DeceptiveDeployment, DEV#POPPER, and Famoys Chollima; Contagious Interview has been active since December 2022, however, it was publicly reported only after late 2023. 

The attack uses legitimate job interview sites to promote the ClickFix tactic and deploy Windows and MacOS backdoors, said Sekoia experts Amaury G., Coline Chavane, and Felix Aimé, attributing the attack to the notorious Lazarus Group. 

Lazarus involved

One major highlight of the campaign is that it mainly attacks centralized finance businesses by mimicking firms like Kraken, Circle BlockFi, Coinbase, KuCoin, Robinhood, Tether, and Bybit. Traditionally, Lazarus targeted decentralized finance (DeFi) entities. 

Attack tactic explained

Like Operation Dream Job, Contagious Interview also uses fake job offers as traps to lure potential victims and trick them into downloading malware to steal sensitive data and cryptocurrency. The victims are approached via LinkedIn or X to schedule a video interview and asked to download malware-laced video conference software that triggers the infection process. 

Finding of Lazarus ClickFix attack

Security expert Tayloar Monahan first reported the Lazarus Group’s use of ClickFix in late 2022, saying the attack chains led to the installment of a malware strain called FERRET that delivered the Golang backdoor. In this malware campaign, the victims are prompted to use a video interview, ‘Willow,’ and do a sell video assessment. 

The whole process is carefully built to gain users and “proceeds smoothly until the user is asked to enable their camera,” Sekoia said. At this stage, an “error message appears, indicating that the user needs to download a driver to fix the issue. This is where the operator employs the ClickFix technique," adds Sekoia. 

Different attack tactics for Windows and MacOS users

The prompts given to victims may vary depending on the OS. For Windows, victims are asked to open the Command Prompt and run a curl command to perform a Visual Basic Script (VBS) file to launch a basic script to run GolanGhost. MacOS victims are prompted to open the Terminal app and perform a curl command to run a malicious shell script, which then runs another shell script that runs a stealer module called FROSTYFERRET—aka ChromwUpdateAlert— and the backdoor. 

Read more »
X
AI Algorithm Chatbot copyright Data FTC Grok Linkedin personalization Privacy Snapchat Social Media Technology training user content X

Social Media Content Fueling AI: How Platforms Are Using Your Data for Training

 

OpenAI has admitted that developing ChatGPT would not have been feasible without the use of copyrighted content to train its algorithms. It is widely known that artificial intelligence (AI) systems heavily rely on social media content for their development. In fact, AI has become an essential tool for many social media platforms.

For instance, LinkedIn is now using its users’ resumes to fine-tune its AI models, while Snapchat has indicated that if users engage with certain AI features, their content might appear in advertisements. Despite this, many users remain unaware that their social media posts and photos are being used to train AI systems.

Social Media: A Prime Resource for AI Training

AI companies aim to make their models as natural and conversational as possible, with social media serving as an ideal training ground. The content generated by users on these platforms offers an extensive and varied source of human interaction. Social media posts reflect everyday speech and provide up-to-date information on global events, which is vital for producing reliable AI systems.

However, it's important to recognize that AI companies are utilizing user-generated content for free. Your vacation pictures, birthday selfies, and personal posts are being exploited for profit. While users can opt out of certain services, the process varies across platforms, and there is no assurance that your content will be fully protected, as third parties may still have access to it.

How Social Platforms Are Using Your Data

Recently, the United States Federal Trade Commission (FTC) revealed that social media platforms are not effectively regulating how they use user data. Major platforms have been found to use personal data for AI training purposes without proper oversight.

For example, LinkedIn has stated that user content can be utilized by the platform or its partners, though they aim to redact or remove personal details from AI training data sets. Users can opt out by navigating to their "Settings and Privacy" under the "Data Privacy" section. However, opting out won’t affect data already collected.

Similarly, the platform formerly known as Twitter, now X, has been using user posts to train its chatbot, Grok. Elon Musk’s social media company has confirmed that its AI startup, xAI, leverages content from X users and their interactions with Grok to enhance the chatbot’s ability to deliver “accurate, relevant, and engaging” responses. The goal is to give the bot a more human-like sense of humor and wit.

To opt out of this, users need to visit the "Data Sharing and Personalization" tab in the "Privacy and Safety" settings. Under the “Grok” section, they can uncheck the box that permits the platform to use their data for AI purposes.

Regardless of the platform, users need to stay vigilant about how their online content may be repurposed by AI companies for training. Always review your privacy settings to ensure you’re informed and protected from unintended data usage by AI technologies
Read more »
North Korea Hackers
cyber attack Financial Exploit Laundering Lazarus Group Linkedin North Korea Hackers

North Korean Hackers Exploit LinkedIn in Targeted Attacks

 


The North Korean hacker group Lazarus has once again made headlines, this time for exploiting LinkedIn in their cyber operations. According to a report by blockchain security analytics firm SlowMist, Lazarus hackers are leveraging the professional networking platform to target unsuspecting users and pilfer their assets through malware attacks.


LinkedIn Used as a Trojan Horse

This involves Lazarus members masquerading as blockchain developers seeking employment opportunities in the cryptocurrency industry. By posing as job seekers, they lure in vulnerable targets, enticing them to share access to their code repositories under the guise of collaborative work. However, the innocuous-seeming code snippets provided by the hackers contain malicious elements designed to syphon off confidential information and assets from the victims' systems.


History of Innovation in Cybercrime

This tactic isn't new for Lazarus, as they previously employed a similar strategy in December 2023, posing as recruiters from Meta. Back then, they convinced victims to download malware-infected coding challenges, which, when executed, granted remote access to their computers.


Lazarus: A Cyber Threat

Lazarus has earned a notorious reputation in the cybersecurity realm since its emergence in 2009. The group is infamous for orchestrating some of the largest cryptocurrency heists, including the 2022 Ronin Bridge hack, which saw a staggering $625 million being stolen.


Laundering Techniques

Once they've plundered their ill-gotten gains, Lazarus employs sophisticated techniques, such as crypto mixing services, to launder the funds back to North Korea. Reports suggest these funds are funnelled into financing the country's military endeavors.


Industry Response and Countermeasures

In response to persistent cyber threats, crypto companies are advocating for heightened security measures and conducting awareness seminars to educate employees about potential risks. The industry's proactive stance has led to the implementation of robust security protocols and increased investment in cybersecurity to safeguard against data breaches and financial theft.


The recent exploits by Lazarus serve as a stark reminder of the ever-present dangers lurking in the digital realm. As cyber threats continue to expand, it's imperative for individuals and organisations alike to remain careful and adopt proactive measures to mitigate risks and be digitally secured.


By staying informed and proactive, investors, traders, and social media users can collectively work towards thwarting cyber threats and safeguarding digital assets in an increasingly interconnected world.


Read more »
Social Media
Data Breach data security Linkedin MOAB Social Media

The “Mother of All Breaches”: Implications for Businesses


In the vast digital landscape, data breaches have become an unfortunate reality. However, some breaches stand out as monumental, and the recent discovery of the “mother of all breaches” (MOAB) is one such instance. Let’s delve into the details of this massive security incident and explore its implications for businesses.

The MOAB Unveiled

At the beginning of this year, cybersecurity researchers stumbled upon a staggering dataset containing 26 billion leaked entries. This treasure trove of compromised information includes data from prominent platforms like LinkedIn, Twitter.com, Tencent, Dropbox, Adobe, Canva, and Telegram. But the impact didn’t stop there; government agencies in the U.S., Brazil, Germany, the Philippines, and Turkey were also affected.

The MOAB isn’t your typical data breach—it’s a 12-terabyte behemoth that cybercriminals can wield as a powerful weapon. Here’s why it’s a game-changer:

Identity Theft Arsenal: The stolen personal data within this dataset provides threat actors with a comprehensive toolkit. From email addresses and passwords to sensitive financial information, it’s a goldmine for orchestrating identity theft and other malicious activities.

Global Reach: The MOAB’s reach extends across borders. Organizations worldwide are at risk, and the breach’s sheer scale means that no industry or sector is immune.

Implications for Businesses

As business leaders, it’s crucial to understand the implications of the MOAB and take proactive measures to safeguard your organization:

1. Continual Threat Landscape

The MOAB isn’t a one-time event—it’s an ongoing threat. Businesses must adopt a continuous monitoring approach to detect any signs of compromise. Here’s what to watch out for:

  • Uncommon Access Scenarios: Keep an eye on access logs. Sudden spikes in requests or unfamiliar IP addresses could indicate unauthorized entry. Logins during odd hours may also raise suspicion.
  • Suspicious Account Activity: Scammers might attempt to take over compromised accounts. Look for unexpected changes in user privileges, irregular login times, and frequent location shifts.
  • Phishing Surge: Breaches like the MOAB create fertile ground for phishing attacks. Educate employees and customers about recognizing phishing scams.

2. Infrastructure Vigilance

Patch and Update: Regularly update software and apply security patches. Vulnerabilities in outdated systems can be exploited.

Multi-Factor Authentication (MFA): Implement MFA wherever possible. It adds an extra layer of security by requiring additional verification beyond passwords.

Data Encryption: Encrypt sensitive data both at rest and in transit. Even if breached, encrypted data remains useless to attackers.

Incident Response Plan: Have a robust incident response plan in place. Know how to react swiftly if a breach occurs.

3. Customer Trust and Reputation

Transparency: If your organization is affected, be transparent with customers. Promptly inform them about the breach, steps taken, and precautions they should follow.

Reputation Management: A breach can tarnish your brand’s reputation. Communicate openly, take responsibility, and demonstrate commitment to security.

4. Legal and Regulatory Compliance

Data Protection Laws: Understand the legal obligations related to data breaches in your jurisdiction. Compliance is critical to avoid penalties.

Notification Requirements: Depending on the severity, you may need to notify affected individuals, authorities, or regulatory bodies.

5. Employee Training

Security Awareness: Train employees to recognize phishing attempts, use strong passwords, and follow security protocols.

Incident Reporting: Encourage employees to report any suspicious activity promptly.

What next?

The MOAB serves as a wake-up call for businesses worldwide. Cybersecurity isn’t a one-and-done task—it’s an ongoing commitment. By staying vigilant, implementing best practices, and prioritizing data protection, organizations can mitigate the impact of breaches and safeguard their customers’ trust.



Read more »
USDoD
Data Breach Data Leak Database Breach Linkedin LinkedIn Users Personal Data US Government USDoD

Hackers Leaks Scraped LinkedIn Data of 35 Million Users


Threat actors have recently leaked personal information of over 35 million online users, by illicitly accessing a LinkedIn database. Apparently, the hackers are operating under the name ‘USDOD.’

The database, on the other hand, has been released in a popular cybercrime forum, Breach Forums. 

It is significant to note that USDoD is the same hacker who compromised the FBI's InfraGard security platform last year, revealing 87,000 members' personal information.

In a post on Breach Forums, the hacker verified that web scraping was used to access the most recent LinkedIn information. Web scraping is a software-driven, automated process that extracts data from websites, usually with the purpose of obtaining certain information from web pages.

As revealed by Hackread, the leaked data included publicly available information regarding the victims’ LinkedIn profiles, such as full names and profile bios. While this data also contains millions of email addresses, the hackers could not get hold of the passwords.

Email addresses from senior US government officials and organizations are exposed in the leak. Email addresses from other international government agencies have also been found.

Legitimacy of LinkedIn Data: Is it Authentic?

After analyzing more than 5 million accounts in the database, Troy Hunt of HaveIBeenPwned came to the conclusion that the data was a combination of information from other sources, including fraudulent email addresses and public LinkedIn profiles. Troy notes that the individuals, businesses, domain names, and a large number of email addresses are real, even though some of the information may be anecdotal or largely made up.

"Because the conclusion is that there’s a significant component of legitimate data in this corpus, I’ve loaded it into HIBP[…]But because there are also a significant number of fabricated email addresses in there, I’ve flagged it as a spam list which means the addresses won’t impact the scale of anyone’s paid subscription if they’re monitoring domains," Hunt explained.

This however was not the first time when the LinkedIn information was being leaked online by threat actors. A similar case happened back in April 2021, where 2 scrapped LinkedIn databases went on sale with 500 million and 827 million records. Also, in June 2021, a hacker sold a LinkedIn database that contained information about around 700 million users.  

Read more »
Scam
Company Data Breach Job Scams Jobseekers Linkedin New Jobs Online Jobs Perfect Jobs Scam

Online Jobseekers Beware: Strategies to Outsmart Scammers

 


The number of employment scams is increasing, and the number of job seekers who are targets of cunning scammers is also on the rise. A person who is seeking a new job is advised to be vigilant to these scams and to be aware of what to look out for to better protect themselves against them if they are searching for one. 

Precisely what is the scam? 

On fake websites that look like they belong to reputable companies, criminals will pose as them to post fictitious job descriptions that require applicants to apply for fictitious jobs. The scammers will then make false job offers to candidates looking for a job. 

Sometimes, the fraudster may ask for personal information, like a person's address, bank details, or personal information like a passport number. It is becoming increasingly common for these scams to take the form of legitimate recruitment activities, and they often appear to be recruiting through third-party websites or direct email exchanges. 

It is becoming increasingly common for employers to be caught up in this sort of scam, which is known as recruitment fraud. A scammer has been known to target job seekers with fake job openings on LinkedIn as the social networking site receives more than 100 job application submissions per second. 

Approximately two-thirds of British users have been targeted in the last several years, according to a study conducted by NordLayer, a security firm. Scammers do not limit themselves to LinkedIn, with scammers exploiting other genuine, well-known job websites as well as sending email solicitations directly to university students by targeting them directly within their email addresses. 

Scammers employ two main methods to con their victims. A job offer with basic information about the company and its job position sounds very interesting to job seekers, and there is a link that says that if they click on it, a presentation with detailed information about the company and the job role will appear, says Jedrzej Pyzik, a recruitment consultant at the financial recruitment firm FTeam.

It has been observed that after clicking through the link, there are usually some landing pages that require the user to download a certain program, log in, and provide personal information - this is the most common one that has noticed the most, said Jedrzej. 

When that data is obtained, it can be used to steal the job seeker's identity, or even to open a bank account in their name or to apply for credit in their name if the job seeker is not present. Another popular scam involves asking "successful" job applicants to send over a substantial amount of money upfront to have the money paid back when they are hired - a practice known as advance fee scams. 

If a person is told that the amount can be credited towards training fees, criminal background checks by the Disclosure and Barring Service (DBS), travel fees like visas, or equipment that is needed for the job, they may feel more inclined to apply. 

The problem is that if a check is ever received to cover these costs, it will bounce. A large part of the problem is associated with fake job ads, which are especially common when it comes to the recruitment process for students and recent graduates, who may be considered to be less knowledgeable about it. 

Several scams have been targeting US university students lately, according to the security firm Proofpoint, offering jobs in biosciences, healthcare, and biotechnology fields, mostly in recent months. These scams appear to have targeted students in various parts of the country. 

Is there a way to protect from these Frauds? 

To identify phishing scams, follow these five tips: 

It is advisable to avoid generic emails at all costs. A lot of effort is put into casting a wide net when scammers do not include specific information in their scams. It is always a good idea to be cautious when receiving an email that seems overly generic. 

The spelling of domain names and email addresses should be checked very carefully. Even a slight change of lower and uppercase letters can result in a redirect to a different domain where the job seeker may be a victim of identity theft. 

A recruitment agent from an authentic company will most often ask applicants for an in-person interview if the candidate truly meets all the requirements for the job. 

A recruiter will never ask a prospective candidate for financial information or payments as part of an employment application or as a condition of employment or anything similar.

Those who post a job stating the position is the "perfect job" usually make this claim as they rely on the high pay they will offer for positions that do not require any skills and experience. 

It is likely that such a job is a scam and is just too good to be true. There is a concerted effort being made by job platforms to eliminate job scams in their platforms. 

A report from LinkedIn claims that 99.3% of the spam and scams it detects are caught by its automated defences, and 99.6% of the fake accounts it detects are blocked before members even know they exist. Additionally, job websites are also doing their part to help those looking for work. 

It is the company's policy to perform automatic verification processes that confirm the validity of its advertisers, according to Keith Rosser, director of group risk at Reed, a process which involves checking Company House information, the domain information of the company as well as the email addresses and physical addresses of the company's advertisers. 

The job seekers are advised, however, to be cautious and to check whether the employer is legitimate before sharing any personal information with them. Before sharing any personal information, it would be wise to verify that the organization exists.
Read more »
threats
Advertising attacks Business Cloud CyberCrime Cybersecurity Duckport Ducktail Facebook Hijacking Information Linkedin malware Marketing Scams Security SocialEngineering SocialMedia Tactics threats

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.
Read more »
Zinc
Cyber Attacks Lazarus APT Linkedin malware Microsoft MSTIC Whatsapp. Zinc

Zinc APT is Conducting an Attack Against Victims in Critical Sectors


 
During recent months, Microsoft has detected cyberattacks targeted at security researchers by an actor tracked as ZINC, who is also called the author of these attacks. Originally, the campaign was brought to the attention after Microsoft Defender for Endpoints detected an attack that was taking place in the background. 

As a consequence, seven groups have been identified as being targeted, including pen testers, private offensive security researchers, and employees of security and technology companies. Based on the observations made by MSTIC, which is a Microsoft Threat Intelligence Center, we can attribute this campaign with high confidence to ZINC, which is a DPRK-affiliated and state-sponsored group, given its tradecraft, infrastructure, malware patterns, and account affiliations.


Campaigns designed to attack 


Using a high degree of confidence, Microsoft Threat Prevention and Defense has linked these recent attacks to a threat group identified as Zinc. The group is allegedly associated with recent attacks on LinkedIn. In addition, the group is also linked with one of the groups of the Lazarus movement.

• During their experiments, researchers noticed Zinc using a wide variety of open-source software, including KiTTY, TightVNC, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers.

• As far as Microsoft is concerned, there are around five methods for trojanizing open-source applications, including packing with commercial software protection Themida, hijacking DLL Search orders, using custom encryption methods, encoding victim information in parameters associated with common keywords, and using SSH clients.

• A number of these applications are bundled with malicious shellcodes and malicious payloads that belong to the ZetaNile malware family that researchers have been tracking.

Is there anyone who has been affected by the crisis?


There has been a recent rash of attacks caused by Zinc on employees of various companies located in the United Kingdom, the United States, Russia, and India. These companies operate in different industries such as defense, aerospace, IT services, and media.


The tactical approach to the spread of infection 


A LinkedIn security team discovered Zinc impersonating recruiters from defense, technology, and media companies. This was malware that was delivered from LinkedIn to WhatsApp. Despite this, LinkedIn immediately suspended accounts linked to suspicious or fraudulent behavior as per its policies and the accounts spotted in these attacks.

Earlier this month, Mandiant reported about an ongoing campaign related to the weaponized version of PuTTY being used by some hackers; the operation Dream Job campaign was initiated by attackers to extract information about jobs on LinkedIn using job lures.

In essence, throughout its attack campaign, Zinc targets victims all over the world with a wide range of platforms and open-source software, making it one of the most dangerous cyber threats for businesses globally. 

To prevent such abuses, individuals and organizations that use open-source software should therefore ensure that they are vigilant. Whenever possible, it is highly recommended that you leverage a threat intelligence platform to find threats that are tailored to your needs.
Read more »
Linkedin
CISO Cyber Fraud Fake Accounts High Profile Attacks Linkedin

Fake CISO Profiles of Corporate Giants swamps LinkedIn

 

LinkedIn has recently been flooded with fake profiles for the post of Chief Information Security Officer (CISO) at some of the world’s largest organizations. 

One such LinkedIn profile is for the CISO of the energy giant, Chevron. One might search for the profile, and find the profile for Victor Sites, stating he is from Westerville, Ohio, and is a graduate of Texas A&M University. When in reality, the role of Chevron is currently occupied by Christopher Lukas, who is based in Danville, Calif. 

According to KrebsOnSecurity, upon searching the profile of “Current CISO of Chevron” on Google, they were led to the fake CISO profile, for it is the first search result returned, followed by the LinkedIn profile of the real Chevron CISO, Christopher Lukas. It was found that the false LinkedIn profiles are engineered to confuse search engine results for the role of CISOs at major organizations, and the profiles are even considered valid by numerous downstream data-scraping sources. 

Similar cases could be seen in the LinkedIn profile for Maryann Robles, claiming to be the CISO of another energy giant, ExxonMobil. LinkedIn was able to detect more such fabricated CISO profiles since the already detected fake profile suggested 1 view a number of them in the “People Also Viewed” column. 


Who is Behind the Fake Profiles? 


Security experts are not yet certain of the identity of the threat actors behind the creation and operation of these fake profiles. Likewise, the intention leading to the cyber security incident also remains unclear.  

LinkedIn, in a statement given to KrebsOnSecurity, said its team is working on tracking the fake accounts and taking down the con men. “We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam,” said LinkedIn. 

What can LinkedIn do?  


LinkedIn could take simple steps that could inform the user about the profile they are looking at, and whether to trust the given profile. Such as, adding a “created on” date for every profile, and leveraging the user with filtered searches. 

The former CISO Mason of LinkedIn says it could also experiment with offering the user something similar to Twitter’s ‘verified mark’ to those who chose to validate that they can respond to email at the domain linked with their stated current employer. Mason also added LinkedIn needs a more streamlined process allowing employers to remove phony employee accounts.
Read more »
Spear Phishing Mails
Cyber Attacks Facebook Linkedin Spear Phishing Spear Phishing attacks Spear Phishing Mails

Ducktail Spear-Phishing Campaign Targets Facebook Business Accounts Via LinkedIn

 

An ongoing spear-phishing campaign dubbed “Ducktail” is targeting admin profiles of enterprise networks via LinkedIn, with the motive of taking over Facebook Business accounts and exploiting the Ads function to run malvertising campaigns. 

According to researchers at WithSecure, a popular global IT-security firm, the hackers are of Vietnamese origin and have been active since 2018. 

Modus operandi 

The Ducktail operators have a limited targeting scope and carefully choose their victims, seeking those with administrative access to their employer's social media accounts. The hacker contacts employees on LinkedIn who may have access to Facebook business accounts, such as those described as working in "digital media" and "digital marketing." 

Subsequently, the hacker lures the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the hacker and the potential victim during the convincing stage.

Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials. 

“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” researchers explained. 

The malware is then deployed to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin. 

After getting access to the victim’s business profile the malware steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details, and finally, the stolen data is exfiltrated through Telegram bots when the malware exits or crashes. 

The phishing campaign operates on an infinite loop in the background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The motive is to interact with the victim’s account, and ultimately create an email account managed by the hacker with the highest privilege role; that is, admin access and finance editor roles.
Read more »
More Eggs Malware
Corporate Networks Hackers Hiring Linkedin malware More Eggs Malware

Hackers Sneak 'More_Eggs' Malware Into Resumes Sent to Corporate Hiring Managers

 

A year after potential candidates looking for work on LinkedIn were tempted with weaponized job offers, a new series of phishing assaults carrying the more eggs malware has been detected attacking corporate hiring supervisors with false resumes as an infection vector. 

Keegan Keplinger, eSentire's research and reporting lead said in a statement, "This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting job seekers with fake job offers."
 
Four separate security events were identified and disrupted, according to the Canadian cybersecurity firm, three of which happened towards the end of March. A U.S.-based aerospace company, a U.K.-based accounting firm, a legal firm, and a hiring agency, all based in Canada, are among the targets. 

The malware, which is thought to have been created by a threat actor known as Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing sensitive data and lateral movement across a hacked network. 

Keplinger stated, "More_eggs achieves execution bypassing malicious code to legitimate windows processes and letting those windows processes do the work for them."
 
The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection. Apart from the role reversal in the mode of operation, it's unclear what the attackers were after, given that the attacks were stopped before they could carry out their intentions. However, it's worth noting that, once deployed, more eggs might be used as a launchpad for further assaults like data theft and ransomware. 

"The threat actors behind more_eggs use a scalable, spear-phishing approach that weaponizes expected communications, such as resumes, that match a hiring manager's expectations or job offers, targeting hopeful candidates that match their current or past job titles," Keplinger stated.
Read more »
Phishing and Spam
Cyber Security cybercriminals Job Scam Linkedin malacious Phishing and Spam

Giant User Theft and Bot Attacks Target on Job Seekers

 

Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.
Read more »
Vulnerabilities and Exploits
Atlassian Audi Confluence Flaw Linkedin OGNL Instructions Team collaboration Software Vulnerabilities and Exploits

Recently Patched Confluence Vulnerability Abused in the Wild

 

A significant vulnerability in Confluence's team collaboration server software is on the edge of exploitation after the company released the patch a week ago. 

Threat actors were found abusing the major vulnerability tracked as CVE-2021-26084 which affects Confluence Server and Confluence Data Center software, which is often installed on Confluence self-hosted project management, wiki, and team communication platforms. 

The vulnerability is hidden in OGNL (Object-Graph Navigation Language), a basic scripting language for interfacing with Java code, which is the fundamental technology used to build most Confluence software. 

When Atlassian released the fix on August 25, the firm that owns the Confluence software family, stated the vulnerability could be used by threat actors to circumvent authentication and implant malicious OGNL instructions that allow attackers to take control of the system. 

As an outcome, the vulnerability received a severity rating of 9.8 out of 10, indicating that it could be exploited remotely over the internet and building a weaponized exploit would be relatively simple.

Exploitation begins a week after fixes are released

Attackers and professional bug bounty hunters are investigating Confluence systems for functionalities vulnerable to CVE-2021-26084 exploits, according to Vietnamese security researcher Tuan Anh Nguyen, who stated on Tuesday that widespread scans for Confluence servers are already ongoing. 

Soon after the issue was discovered in the open, two security researchers, Rahul Maini and Harsh Jaiswal released a detailed explanation of the flaw on GitHub, along with various proof-of-concept payloads. Maini explained the procedure of creating the CVE-2021-26084 attack as “relatively simpler than expected,” thus proving the bug's high severity level of 9.8. 

Confluence is a widely used team collaboration software among some of the world's top businesses, and the CVE-2021-26084 vulnerability is highly effective from a threat actor's standpoint, criminal gangs are anticipated to increase their assaults in the next few days. 

As Confluence flaws have previously been widely weaponized, a similar exploitation strategy is probable this time. 

Atlassian states that Confluence is used by over 60,000 clients, including Audi, Hubspot, NASA, LinkedIn, Twilio, and Docker, according to its website.
Read more »
SVR
Cyber Security Google Chrome Internet Explorer Linkedin Safari SVR

With Safari Zero-Day Attacks, Russian SVR Hackers Targeted LinkedIn Users

 

Google security experts revealed details on four zero-day vulnerabilities that were undisclosed until they were exploited in the wild earlier this year. After discovering exploits leveraging zero-day vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple's Safari web browser, Google Threat Analysis Group (TAG), and Google Project Zero researchers discovered the four security issues. 

CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit were the four zero-day exploits found by Google researchers earlier this year while being abused in the wild. "We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT," Google Threat Analysis Group's Director Shane Huntley said. "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020," Google researchers added. "While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend." 

Despite the fact that the zero-day flaws for Chrome and Internet Explorer were developed and sold by the same vendor to customers all over the world looking to improve their surveillance capabilities, they were not employed in any high-profile operations. The CVE-2021-1879 WebKit/Safari bug, according to Google, was used "to target government officials from Western European countries by sending them malicious links," via LinkedIn Messaging. 

The attackers were part of a likely Russian government-backed actor employing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7), according to Google experts. While Google did not link the exploit to a specific threat group, Microsoft claims it is Nobelium, the state-sponsored hacking group responsible for the SolarWinds supply-chain attack that resulted in the compromise of numerous US federal agencies last year. 

Volexity, a cybersecurity firm, also attributed the attacks to SVR operators based on strategies used in earlier attacks dating back to 2018. In April, the US government charged the Russian Foreign Intelligence Service (aka SVR) for conducting "a broad-scale cyber-espionage campaign" through its hacking group known as APT29, The Dukes, or Cozy Bear. The attacks were designed to "collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP," according to Google.
Read more »
User Security
Dark Web Data Breach Linkedin User Data User Privacy User Security

Data of 700 Million LinkedIn Users Has Been Compromised

 

A massive breach has purportedly compromised the data of over 700 million LinkedIn users. LinkedIn has a total of 756 million users, which means that this new hack has exposed the data of more than 92 percent of its users. An anonymous hacker is reported to have gotten a fresh dataset including personal information about LinkedIn users. Reportedly, the data exposed includes phone numbers, physical addresses, geolocation data, and inferred salaries. 

The data advertised by the hacker is “both authentic and up-to-date,” according to a recent investigation by the publication, with data points ranging from 2020 to 2021. The article goes on to say that the data breached comprises a lot of information. LinkedIn reported a data breach impacting 500 million customers in April, in which personal information such as email addresses, phone numbers, workplace information, complete names, account IDs, links to social network profiles, and gender characteristics were exposed online. 

According to LinkedIn, the information was obtained through skimming the network rather than a data breach. In an emailed statement, LinkedIn said, "While we're still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected." 

The hacker has also uploaded a sample set of 1 million users for purchasers on the Dark Web, where the new dataset of 700 million users is also on sale. RestorePrivacy was the first to notice this listing on the Dark Web, and 9to5Google double-checked the sample data. 

User information such as email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username, and profile URL, inferred salaries, personal and professional experience/background, gender, and social media accounts and usernames are included in the sample dataset that has been published on the Dark Web. 

9to5Google reached out to the hacker who says that the data was obtained through hacking the LinkedIn API to gather the information that people upload to the site. Although the data does not include passwords, it is nevertheless extremely valuable and might be used in identity theft or phishing attempts.
Read more »
United States
Cyber Security information exposed Linkedin Nuclear Weapons United States

US Soldiers Exposed Information About the Nuclear Weapons Stockpile

 

According to a new report, U.S. soldiers stationed at several bases in Europe accidentally revealed confidential data connected to America's nuclear weapons arsenal while using inadequately secured flashcard apps to memorize those secrets. 

The soldiers accidentally revealed “not just the bases” where the nukes were stored, but also “the exact shelters with ‘hot' vaults that likely contain nuclear weapons,” writes Foeke Postma, a researcher with the OSINT-focused investigative team Bellingcat, in what appears to be a mind-boggling mishandling of America's most sensitive national security information. They also gave a slew of other information, including secret codes, passwords, and security layouts in various locations. 

According to Postma's investigation, the troops utilized common study apps like Chegg, Cram, and Quizlet to save highly classified data on European nuclear bases, then forgot to change the applications' settings from public to private. 

Some of the same soldiers allegedly made their usernames public, which “included the full identities of the persons who established them,” and used the same images they had on their LinkedIn pages, making them easier to track down. 

Postma believes that he was able to find a lot of this information by Googling official words and acronyms related to the US nuclear weapons development. When he did, he discovered a set of 70 public-facing flashcards titled "Study!" that disclosed details on the alleged nuclear inventory at Volkel Air Base in the Netherlands (a long-rumored locale of a U.S. nuke stockpile). Postma further alleges that subsequent open-source searches uncovered further flashcard caches, which revealed “details about vaults at all the other facilities in Europe that supposedly host nuclear weapons.” 

"Some flashcards detailed the number of security cameras and their positions at various bases, information on sensors and radar systems, the unique identifiers of restricted area badges (RAB) for Incirlik, Volkel, and Aviano as well as secret duress words and the type of equipment carried by response forces protecting bases," Postma said. 

"The scale to which soldiers have uploaded and inadvertently shared security details represents a massive operational security failure,” said Postma. “Due to the potential implications around public safety, Bellingcat contacted NATO, US European Command (EUCOM), the US Department of Defence (DoD), and the Dutch Ministry of Defence (MoD) four weeks in advance." The flashcards linked to these disclosures have been taken down since then, according to Postma.
Read more »
Phishing emails
Cyber Crime Linkedin phishing Phishing emails

“LinkedIn Private Shared Document” Shared Via Phishing Email by Hackers

 

LinkedIn seems to have become a popular destination for phishing attacks and users have been attacked with phishing emails in the recent scam on the site. With the public becoming more familiar with the standard tactics used to attack them, cybercriminals had to adopt new tactics in order to prevent identification. 

JB Bowers, a security investigator, found that hackers use LinkedIn to target users to give up their login credentials. The scheme attempts to get dubious users to open a "LinkedIn Private Shared Document," after which their login credentials are requested to access the falsified LinkedIn page. The message prompts the receiver to follow a reference from a third party to access a document.

Any user who obtains an unwanted message through the internal messaging system of LinkedIn via an unidentified contact must be extremely careful. In particular, this is true if users are requested to enter their login details. Users who mistakenly input their login credentials could often receive phishing messages which their LinkedIn contacts can also see. 

As to why hackers attack LinkedIn users, it may be because regular LinkedIn users have strong revenue than normal and are perceived as higher-value targets. Or since LinkedIn links to another Microsoft service, such as Office 365, it could contribute to more identity leakage if a LinkedIn account is hacked. As the name suggests, Phishing attempts to lure users to send confidential details. This could take the form of emails offering a free smartphone or something more formal, as in the aforementioned case. Further targets of phishing attacks are- colleges and businesses. Hackers are now getting more advanced and will send you a bogus email that appears to have originated from your employers since LinkedIn tells them who you are dealing with. Phishing pages are hosted in sites where there are also legitimate business purposes, such as Firebase and Pantheon.io, making access by companies unlikely. 

“The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful,” Bowers stated.

Employees must be advised to identify this form of intrusion leading to a broader breach of enterprise processes and networks. A further alternative is to block the usage of social media/networks on working devices, but it might not be good for workers. The victims will be made aware of the deception and have to let their LinkedIn friends also know about it. In some instances, some of them will find themselves fooled and have to go through the same method. 

“If you see any more LinkedIn messages like this […] you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn,” Bowers advised.
Read more »
Spies
China Foreign policy Foreign policy official Linkedin Linkedin Hacks Spies

How China uses LinkedIn to recruit spies


One former senior foreign policy official in the Obama administration received messages from someone on LinkedIn offering to fly him to China and connect him with “well paid” opportunities.

A former Danish Foreign Ministry official got LinkedIn messages from someone appearing to be a woman at a Chinese headhunting firm wanting to meet in Beijing. Three middle-aged men showed up instead and said they could help the former official gain “great access to the Chinese system.”

A former Obama White House official and career diplomat was befriended on LinkedIn by a person who claimed to be a research fellow at the California Institute of Technology, with a profile page showing connections to White House aides and ambassadors. No such fellow exists.

Foreign agents are exploiting social media to try to recruit assets, with LinkedIn as a prime hunting ground, Western counterintelligence officials say. Intelligence agencies in the United States, Britain, Germany and France have issued warnings about foreign agents approaching thousands of users on the site. Chinese spies are the most active, officials say.

“We’ve seen China’s intelligence services doing this on a mass scale,” said William R. Evanina, director of the National Counterintelligence and Security Center, a government agency that tracks foreign spying and alerts companies to possible infiltration. “Instead of dispatching spies to the U.S. to recruit a single target, it’s more efficient to sit behind a computer in China and send out friend requests to thousands of targets using fake profiles.”

The use of social media by Chinese government operatives for what American officials and executives call nefarious purposes has drawn heightened scrutiny in recent weeks. Facebook, Twitter and YouTube said they deleted accounts that had spread disinformation about the Hong Kong pro-democracy protests. Twitter alone said it removed nearly 1,000 accounts.

It was the first time Facebook and Twitter had taken down accounts linked to disinformation from China. Many governments have employed similar playbooks to sow disinformation since Russia used the tactic to great effect in 2015 and 2016.
Read more »
Outlook
Iranian hackers Linkedin Microsoft Outlook

99 Iranian websites used for hacking were seized by Microsoft

                    




According to a report by Associated Press, Microsoft has seized 99 Iranian websites that were supposedly stealing information and launching cyber attacks. The report also said that it had been tracking the group of hackers since 2013.

The hackers were targeting people in the middle east to steal sensitive information by using the malicious websites that were disguised as Microsoft, Linkedin, Outlook and Windows products. Microsoft confirmed in a court filing that this group was stealing information about reporters, activists, political people including “ protesting oppressive regimes”.

The hackers are from Iran but the Tehran government has denied any hacking activity from their end. In the past also Iran government has denied any hacking attempts from their end.

Allison Wikoff, a security researcher at Atlanta-based SecureWorks told Associated Press that according to her observation it is one of the “more active Iranian threat groups”. She further added that Microsoft analyze fake domains through analyzing traffics to protect against fake domains and the practice is popularly called as “sinkholing”.In the past also, Microsoft has used “sinkholing” to seize fake domains made by Russian hackers back in 2016.







Read more »
Subscribe to: Posts (Atom)