The fake LinkedIn recruiter network hackers are using to reel in business users

Hackers known to use Zeus malware to hack critical infrastructure targets have developed an elaborate network of fake recruiter profiles for phishing on LinkedIn.

Hackers are targeting users of the popular business networking site LinkedIn. Image: iStock
A skilled hacking crew, thought to operate out of Iran, is behind an elaborate phishing scheme on LinkedIn targeting employees in telecoms, government agencies, and defence contractors.

Researchers at Dell's SecureWorks have released an analysis of a hacking crew it's dubbed Threat Group 2889, which is using at least 25 bogus but thoroughly developed LinkedIn profiles to draw in potential targets.

The leading personas have richly-detailed work histories and about 500 contacts, while supporter personas help bolster the leaders' endorsements and credibility.

SecureWork's analysis builds on earlier work by security firm Cylance. In December Cylance detailed the activities of an Iranian hacking crew it called Cleaver, which had, over a two-year period, hacked into 50 organisations across Europe, North America, and the Middle East, including military units, airlines, airports, universities, defence contractors, and energy companies.

Read this

LinkedIn just one of thousands of sites hit by DNS issue: Cisco

Although LinkedIn bore the brunt of attention over a DNS issue that saw it drop off the web for hours, Cisco believes that almost 5,000 other sites were also affected.

Read More

"Based on strong circumstantial evidence, CTU researchers assess that TG-2889 is linked to the activity that Cylance described," SecureWorks noted.

The bogus recruiters on LinkedIn build on the group's previously reported recruitment ruse to infect and phish details from targets.

According to Cylance, the group used multiple attack techniques, including SQL injection, numerous software exploits, and TinyZBot, a variant of the notorious Zeus malware the group customised for its surveillance work.

The Zeus variant allowed it to gather information on infected machines by logging keystrokes, capturing screenshots, disabling antivirus, and remotely adding new components.

The malware was disguised as a resume submission system that purported to deliver resumes to the industrial conglomerate Teledyne. Both security vendors note the group used domains that passed themselves off as the recruitment pages of the real corporations Teledyne, Doosan, and Northrop Grumman.

As Cylance noted, the Iranian hacking group emerged in the wake of Stuxnet, the malware that is thought to have been developed by the US, to aid its mission to sabotage Iranian's uranium enrichment facility.

LinkedIn has become somewhat of a preferred tool for hackers to gather information about targets in a particular industry. In September, researchers at Finnish security firm F-Secure who received invitations from fake recruiters laid out in detail the techniques used in that scheme.

Though the bogus recruiters merely sent invitations to numerous security researchers, Yonathan Klijnsma, a researcher from Dutch security firm Fox-IT, highlighted the activity would have allowed the attacker to map out the industry's social connections.

Exactly why an attacker would do that was never discovered, but about one month after accepting an invitation, the fake recruiter would vanish from the target's connections.

Read more

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All