Infamously heartless hackers and fraudsters are sinking to new lows in recent months by extreme targeting of hopeful job seekers on LinkedIn and other job sites, with scam offers that end in theft of sensitive information, professional services or compromise of corporate IT.
A Thursday (Mar. 17) blog post by Google’s Threat Analysis Group (TAG) said it’s been monitoring a new “financially motivated threat actor,” identified as EXOTIC LILY, since September, which uses complex and convincing new tactics to penetrate company defenses with fake business opportunities.
Saying EXOTIC LILY is “closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol,” Google noted that in addition to common spoofing emails, “rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cybercrime groups focused on mass scale operations.”
Cybersecurity firm Egress said in a blog post that “since February 1st, 2022, we have recorded a 232% increase in email phishing attacks which are impersonating LinkedIn. These attacks use display name spoofing and stylized HTML templates to socially engineer victims into clicking on phishing links and then entering their credentials into fraudulent websites.”
Bug Finders and Browser Police
Since 2015, LinkedIn has been offering its Private Bug Bounty Program to spot vulnerabilities.
According to a 2015 LinkedIn engineering blog post, “the participants in our private bug bounty program have reported more than 65 actionable bugs and we have successfully implemented fixes for each issue. The participants have given us positive feedback on the program and in return for their work we’ve paid out more than $65,000 in bounties.”
In February, a LinkedIn spokesperson told tech news site ZDNet: “Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification.”
The uptick in attacks using fake job listings and false-front companies comes at a time when Google is seeing more attempts to exploit bugs in its Chrome browser.
If there’s an upside to this current rash of cybercrime, it’s that companies like Google believe cybersecurity efforts are paying off via better optics into cybercrime patterns.
Google’s TAG said: “We believe we’re seeing more bugs thanks to vendor transparency. Historically, many browser makers didn’t announce that a bug was being exploited in the wild, even if they knew it was happening.”
“Today, most major browser makers have increased transparency via publishing details in release communications, and that may account for more publicly tracked ‘in the wild’ exploitation. These efforts have been spearheaded by both browser security teams and dedicated research groups, such as Project Zero,” TAG wrote.
The Madbird Incident
To help illustrate the trend, in February the BBC reported on its investigation of the Madbird scandal. The 2020 scandal centered around a fictitious design agency that hired more than 50 staffers remotely, even holding Zoom calls where scammers and the victims did actual work.
The company was fake. Cheered on by “founder” Ali Ayad, staffers agreed to work on commission for a six-month probationary period.
However, BBC reported that “at least six of the most senior employees profiled by Madbird were fake. Their identities stitched together using photos stolen from random corners of the internet and made-up names. They included Madbird's co-founder, Dave Stanfield — despite him having a LinkedIn profile and Ali referring to him constantly. Some of the duped staff had even received emails from him.”