Scam Alert: LinkedIn Users Hit by Malware From Fake Job Offers

Apr 8 · 5 min read

With rampant unemployment ongoing, a job offer through LinkedIn can seem like a godsend. Watch out, though, as some offers aren’t what they seem.

By Neil J. Rubenking

The common, garden-variety phishing attack uses a technique some experts call spray and pray. Fraudsters set up a clone of some sensitive site such as an online banking website and try to trick people into logging in. It doesn’t matter if 999 people are smart enough to spot and avoid the fraud. That one in a thousand who’s distracted or foolish enough to log in is pure gold to the fraudsters. With the captured login credentials, they have total power over the compromised account. The recent LinkedIn phishing attack was nothing at all like this.

Before its attempts to morph into a full-on social media site, LinkedIn focused almost entirely on making connections and finding jobs. That high-importance contact who wouldn’t respond to your emails might become more responsive after a personal introduction by a mutual friend. And putting your resume and experience on LinkedIn means people can find you to make connections or even job offers. That’s the expectation recent attacks have targeted.

I hate to say it, but job seekers make a perfect target group. With the pandemic’s upheaval, more people than ever are looking for a job. Some are desperate. A job offer, even from an unknown source, can seem like a godsend. And an apparent connection with LinkedIn makes the offer even more tempting.

Spear-Phishing Menace

This kind of targeted attack is called spear phishing, and it’s a lot harder to detect than the spray and pray technique described above. The latter might push a Wells Fargo bank link out to a huge horde of consumers, most of whom don’t even have a Wells Fargo account. A spear phishing attack is addressed to you and contains personal information, different for each target.

Sophisticated Malware Attack

Once it has settled in the victim system, the more_eggs process checks in periodically with its Command and Control website, awaiting orders. Those orders come from a hacking group that styles itself as Golden Chickens. (You can’t make this stuff up!) Just what it would have done is unknown, as the eSentire TRU team disrupted the attack system upon discovering it. According to the ThreatPost blog, previous more_eggs attacks have been used to “breach retail, entertainment and pharmaceutical companies’ online payments systems.” The Golden Chickens group planned to rent out the victim PCs in a kind of malware-as-a-service scheme, so it could have been used for almost any nefarious purpose.

Sophisticated Malware Defense

“Bogus job offers pointing to fake links or malicious attachment are nothing new on LinkedIn,” said Philippe Broccard, Senior Product Manager for Vipre Security. “The increase of fake LinkedIn profiles has rendered this platform extremely insecure.”

He noted that while the more_eggs malware itself is fileless, it uses a gimmicked ZIP file to get on the system, stating he “would expect Vipre to pick it up” at that point. Broccard pointed out that the attack does pose “a serious risk to any financial organization,” and suggested that any such organization could benefit from security awareness training.

“According to the information I’m seeing, the infection vector is an email ZIP attachment which contains an LNK file which triggers the file-less attack,” said Pedro Bustamante, VP of Research and Innovation at Malwarebytes. “This would be stopped by our signatureless anti-exploit technology, as part of its ‘application control and hardening’ component, which would prevent email clients from spawning the file-less command.”

Bustamante kindly supplied a mockup of what such a blocking event would look like.

According to Denis Parinov, a Kaspersky security expert, “The described malicious software has long been known, and the backdoor dubbed more_eggs has been used by various threat actors at different times. At the same time, attacks on LinkedIn users involving a similar scheme and the malware of this family have been periodically detected, at least since 2018, with minor changes. Our products detect all the components used in such attacks.”

I’m sure these products aren’t unique in their ability to fend off more_eggs. If you’ve installed a top-tier antivirus or security suite, you should be safe from this well-known attack. But don’t get complacent; the next round of spear phishing emails might inject zero-day malware that (at least temporarily) eludes even the top security products.

Don’t Fall for Spear Phishing

(Editors’ Note: Vipre is owned by J2 Global, the parent company of PCMag’s publisher, Ziff Davis.)

Originally published at

PC Magazine

PC Magazine: redefining technology news and reviews since…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store