Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/22/2019
03:10 PM
50%
50%

New Malware Campaign Targets Job Seekers

LinkedIn profiles provide a persistent, patient threat actor with the information required to craft spear-phishing messages.

Scammers tend to be skilled at finding the most vulnerable individuals and turning them into victims. Case in point: Researchers at Proofpoint have been tracking campaigns that prey on those looking for work. The payoff is not a job: It's a copy of the More_eggs backdoor.

The criminal (or criminals) conducting these campaigns seems patient and persistent. The person targets the potential victim through LinkedIn direct messaging, builds rapport, and then begins follow-up through fake websites stuffed with malicious links, email with malware payloads, or both.

LinkedIn profiles provide the threat actor with the information required to craft spear-phishing messages. The malicious payloads are not unique to the campaign: More_eggs is a JScript downloader, while VenomKit and Taurus Builder are malware builders that have been made available for purchase by their developers.

There are overlaps between these campaigns and a campaign launched against anti-money laundering officers at various financial institutions. In addition, the threat actor in these campaigns is showing early signs of moving beyond the basic malware loaded in these instances to more advanced RATs, banking credential skimmers, and other malware. In this case, More_eggs seems likely to lead to more_grief for its victims.

Read more here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/25/2019 | 9:08:28 AM
Re: LI-based phishing
My golden email rule: IF YOU DON'T NEED IT, DON'T READ IT, DELETE IT
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/24/2019 | 6:59:25 PM
LI-based phishing
We've also seen in the wild in the past year a LinkedIn phishing scam much more to the point: emails that purport to be from LinkedIn looking almost identical to the ones that say "[N] people looked at your profile this week!"
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10855
PUBLISHED: 2019-05-23
Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.
CVE-2019-10866
PUBLISHED: 2019-05-23
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.
CVE-2016-7550
PUBLISHED: 2019-05-23
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote).
CVE-2016-8897
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-8899
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.