Hackers are targeting social media administrators in the US, Britain and India with information-stealing malware. The aim of the campaign is to gain access to their business Facebook accounts, which they can later use to launch malicious advertising campaigns on the social media platform.
The campaign was spotted by cybersecurity researchers at WithSecure, who discovered that the scammers, believed to be from Vietnam, were posing as Corsair, a well-known American computer peripheral and hardware company, on LinkedIn. There they created a fake job advertisement for a management position on social media at the company and used it to send a number of documents to the victims.
One of the documents contains a VBS script that, if executed, will produce the RedLine Infostealer or DarkGate further down the line.
Fake jobs are an old trick
By gaining access to victims’ social media accounts, they also gain access to the credit cards linked to the accounts. This way they can create (and pay for) various advertisements on the platform that has almost three billion active users every month. These ads almost always lead to a malicious site or promote malware in some way.
Fake job postings on LinkedIn are nothing new. North Korean threat actor Lazarus Group gained infamy for setting up fake job postings to lure blockchain developers. In one such case, cybersecurity researchers at Malwarebytes discovered a campaign in which Lazarus assumed the identity of Coinbase, one of the world’s largest and most popular cryptocurrency exchanges.
The criminals approached blockchain developers with a job offer for the role of “Engineering Manager, Product Security” and even conducted a few interviews to make the whole campaign more credible. However, at some point the attackers shared a file, apparently a PDF, but in fact – malware.
Lazarus Group has stolen hundreds of millions of dollars in cryptocurrencies this way over the years.
Through BleepingComputer