Akamai Diversity

The Akamai Blog

Beware of Fall Phishing Season

A recent blog post by LinkedIn says there are more available job postings listed  in October than any other month. Since 89% of the hiring managers who spoke to LinkedIn said it takes less than four weeks to fill those roles, there is a limited window of opportunity - for both job seekers and criminals.

October is National Cyber Security Awareness Month (NCSAM). With that in mind, if you're on LinkedIn looking to land your next gig or fill an open position, you should be aware of potential phishing risks, and avoid criminals who will be looking to take advantage of the fall job rush.

Briefly

In our upcoming State of the Internet / Security report, we cover the topic of phishing in-depth, but in this post, we'll provide some background. Phishing is a social-based attack, and targeted phishing campaigns leverage process injection to maximum effect. Attacks also focus on human nature and leverage social norms and psychological calls in order to get a victim to do something.

Process injection works by targeting the victim's workflow, since doing so enables a higher degree of success for the criminal running the phishing campaign. For today's post, we're going to discuss process injection as it relates to three different areas: job hunting, job recruitment, and new hires.

There are two core aspects to phishing. First is the lure, which is what catches the victim's attention and evokes an emotion of some kind, such as fear or curiosity. Second, is the payload. The payload could be a phishing website, designed to steal personal information or authentication credentials, or the payload could be a malicious attachment that infects the victim's system.

Why LinkedIn?

The main function of LinkedIn is to share full employment histories and forge connections. These connections can be useful for those looking for opportunities or connections in sales, marketing, or recruiting. They're also useful for professional development and growth. Some of the top profiles on the website have thousands of connections spanning multiple industries.

Because of these connections, LinkedIn contains near-complete records of useful corporate information on many profiles, which makes it a hot target for phishing. By creating a fake profile that is "real enough" at first glance and making connections, it is possible for criminals to track much of the top leadership and staff at a given company, or at least enough people to gain some leverage - which is something criminals are always looking for. Security professionals use LinkedIn during penetration testing and red team engagements for the same reason.

This isn't new information. LinkedIn is highly aware that they're a target, and many of their top users are as well, which is why the professional social media website launched a safety portal dedicated to scams and other risks. Given the theme for October, we encourage you to look at LinkedIn's safety portal.

Job Seekers

The process injection aspect of an attack against job seekers involves their normal routine for sorting and responding to job postings or related messages in their inbox. The closer the posting is to their location, skill set, or salary requirements, the easier it is for the criminal to make a new connection.

Job hunting, especially when unemployed, can be stressful. It also becomes a sort of full-time job of its own, meaning that the process of interacting with strangers, clicking links, opening attachments, and sharing seemingly innocent information becomes somewhat routine.

Criminals will develop lures that focus on available jobs, or unique opportunities, and then target those who might be looking for a job. Many people on LinkedIn publish something when they begin their job hunt, making them easily identifiable among the masses. Sometimes lures can be based on skills or tools that are referenced on account profiles.

Common lures include random messages with job offers that are almost too good to be true. Once contact is made, the criminal will request the victim's full resume, which contains personal or biographical data that can be sold and used for marketing and lead generation. Depending on the level of detail in the resume, it is also possible the data can be used for identity theft.

LinkedIn's safety center addresses this, warning users to "be wary of recruiters who ask you to send information to an email address that isn't associated with the company."

The same can be said for recruiters that request lots of personal information up front, via direct message or an attachment.

Job seekers are also targeted for their existing access and connections - especially on LinkedIn. A successful phishing attempt against someone who is currently employed exposes their peers and co-workers, as the criminal now has the ability to pivot and target others via a known, trusted source.

Recruiters / Human Resources

A section of our upcoming State of the Internet / Security report on phishing centers on how Akamai deals with and defends against phishing internally.

As is the case with many organizations, the human resources team is usually a small one, serving a much larger group of teams spread-out across the company. According to our data, 20% of the phishing attacks at Akamai target the Finance and Human Resources departments.

While the total number of phishing attacks against human resources overall is smaller than other departments, the number of attacks per person in human resources is among the highest. There is a good reason for this too, the human resources department is a prime target for criminals.

Human resources has access to everything and everyone. How many people would ignore communications from the HR department or finance, especially if they were reporting payroll problems or tax issues?

The process injection aspect of an attack against human resources works by targeting the routine. Those working in human resources or related departments will read messages, open email attachments, and click links (if present) from both known unknown senders daily. Doing so is part of their job, and no one goes to work expecting to be victimized by a criminal half-way around the world.

Criminals craft messaging related to job postings, potential candidates, or internal matters related to existing employees. Some of this messaging will take place on LinkedIn, but emails directly to the victim, or a phone call, are also possible.

The goal is to convince the victim to do something, such as reveal sensitive information or inadvertently compromise authentication credentials. With a foothold into finance, recruiting or human resources, a criminal would have an entire company as a potential victim pool.

New Hires

Those who manage to land that new job will need to complete paperwork and, in some cases, lots of it. They're identified by postings on LinkedIn that encourage connections to congratulate them on a new position, which is a notification that happens once their profile is updated.

The process injection aspect of an attack against new hires will center on paperwork and information sharing. Criminals will take on the role of human resources, finance, or recruiting and develop lures related to pre-screening, background checks, accounting matters, 401k paperwork, insurance, etc. Lures related to corporate existence, such as fake IT portals where the new hire needs to "set up" their new password since the previous one was just a temp, are another way newly hired staff can be targeted. The goal is to get the victim's personal information as well as their corporate information if possible.

Since someone starting their career at a company is often flooded with paperwork, and the internals of the company could be confusing, it is entirely possible to make a mistake and fall for a job-based scam.

Defensive Measures

While we're talking about possible phishing scams involving LinkedIn in October, the reality is that scams like these happen all year long. The first resource in defending against them is to study LinkedIn's safety portal, and to report anything you feel is suspicious. The portal covers phishing, various other scams, and account safety. It's worth the time it takes to explore it fully.

The address is https://safety.linkedin.com/

Organizations should consider giving awareness training as part of the on-boarding process, including a list of known contacts and information related to who will be asking for what and when. Since criminals can spoof contacts and emails, it's also important for the organization to condition employees to trust but verify, and encourage them to call their contact directly to verify requests for sensitive personal information or corporate data.

When it comes to connections, LinkedIn has the best advice, "...make sure you only connect with someone if you trust them with your personal contact information." This is important, because criminals leverage connections in order to develop targeted lures.

You should also follow LinkedIn's advice and enable multi-factor authentication on your account. This makes it harder for someone to compromise it in the event your password is compromised. Text-based authentication isn't perfect, but it is better than nothing and worth using.

Finally, if the job offer or connection looks too good to be true, then it is. If a random person reaches out, if you're really interested in the offer, do some research on the company they claim to represent. Call them directly and verify the person is who they say they are.

Leave a comment