LinkedIn Job Scam, Detecting Scammers who use Job Boards as a vector for email harvesting and phishing campaigns

DavidInfosec.com,

Too good to be true? It probably is.

An email interview? REALLY?

So, I was in the midst of applying for jobs here and there, and I’m sure everyone loves to use the LinkedIn easy-apply feature, because it’s super convenient, right? But, it introduces some irritating threat actors who abuse the system of convenience and prey on those, perhaps too desparate to think twice. The main reason I know this was from an attacker taking advantage of LinkedIn is because of my compartmentalized approach to email with my aliases for each service, with SimpleLogin.

This all started when I received a suspicious email. The email came from the domain [email protected] The threat actor claimed to be a hiring manager at Good United, a legitimate organization based in South Carolina. Their email is below:

As apparent in the email, they have a unique way of reaching out, perhaps to narrow people down with the “YES” reply approach. Right off the bat, I have the urge to check the domain name records, HOWEVER, I would not be surprised if most people didn’t think to do this.

Upon my analysis of the domain records with https://who.is, it was apparent that this domain name was recently registered. For reference, the email was recieved on May 1st, 2023. The domain name was registered on May 1st, 2023, with Google Domains. Red flag #1! SAME DAY! What legitimate organization would reach out to me with a freshly registered domain, I wondered.

Anyway, I reply ‘YES’ because I’m mostly curious, and MAYBE this was just a weird hiring process.

They reply the next day with a screening test, which had a convincing PDF with the legitimate company’s logo. The PDF file contained 17 questions that seemed pretty relevant to the role they were supposedly hiring for. I decided to answer the questions, but admittedly looking back, I probably shouldn’t have. This was my only compromise in this investigation, but at the same time, it’s not like I would have said anything outside the scope of a normal interview process. The “email screening” I would definitely consider red flag #2.

I get their reply to my answers on May 3rd, 2023, acknowledging that they have received them.

The Fun Stuff

Now, this is where things get fun. I’ll let their reply speak for itself:

There is nothing more funny than:

  • “$60 per hour”
  • “payment every week by check or DIRECT DEPOSIT”
  • “The working hours are flexible, so you may choose to work whenever you like” FOR A NETWORK ENGINEER ROLE, directly contradicting the previous PDF questions in regard to hours. (For the uncertainty of the PDF, I am choosing not to release those questions for now, just incase those are legitimate questions from the real employer, but you can take my word for it, I hope.)

Proactive Defense

So, at this point, red flag, after red flag, after red flag, as you can tell, I’m starting to get more and more confident that this isn’t legitimate. This is when I start to reach out to the legitimate GoodUnited.io, create a post on LinkedIn for awareness, and start filing search engine abuse forms for the domain of the attacker.

This process was fulfilling as I was eventually in touch with the legitimate organization, and they were so so friendly. They were able to get their security teams postured and I was able to network with an organization I knew nothing about the few days or so prior.

The finale was my iterative approach to contacting Google Domains and providing a report, only for them to ask for more and more information, but eventually I think things got off on the right foot. I’m not sure if the domain is still in operation, but I did what I could.

Another One..

Just when you thought that was a finale, unfortunately there’s more.. because I recieved a very similar email just a day or so ago from a DIFFERENT email. This time, the threat actor was using a compromised Hotmail account, which I was able to see by a quick search on https://haveibeenpwned.com, but oddly enough, they were asking me to reach out to what I believe to be another fake domain name, impersonating a different company. The screenshot of the email is below:

As you can see, maybe this is the same person changing their approach in attempt to sort of “proxy” themselves so they don’t get another domain name exposed and mass-reported. For privacy reasons, I am not leaking the compromised hotmail account, but that is where this email came from, and again, to my Linkedin email inbox.

The Slip-Up

The additional clue that this led, contrary to the other one, is that for whatever reason, this attacker attached their LinkedIn job listing information, probably on accident, right below this email:

Looks like they made a mistake, further solidifying my theory that the attackers were using LinkedIn as a vector:

My Theory

It appears that “Scott O’Mally” was either a fake LinkedIn or a compromised account, and they created an Easy-Apply listing, for a Junior Network Administrator for SULTAN LLC. They then wait for people to apply, and then instead of utilizing the LinkedIn features, they reach out through their own mediums to then allure people into a direct deposit scam.

Just incase new readers are unaware how the direct deposit scam works, they will send you a check for your “work office supplies” for your “remote job”, let’s say $5,000 as an example.

You will recieve $5,000 in this example, buy your supplies they will most likely provide a list of, and then ask for a refund of the difference, as an “oopsie we sent too much! pls send us $4,500 back” — the scam here is that the check will bounce. I repeat, the check will bounce. The scam is clever because a check will show as pending for a while, but the account that the check was written from will not have enough funds to cover the transaction. This is the jist. You can read more about it on r/scams, a lovely resource, or this great post from social-engineer.com: https://www.social-engineer.com/direct-deposit-scams-dont-get-fooled/

Concluding Thoughts

If something is too good to be true, it probably is. How often do you hear this? Well, a remote network engineer job is definitely a thing somewhere, but a remote network engineer job that you can work WHENEVER YOU WANT, AT $60 AN HOUR? Probably not a thing, if we’re being completely honest. In such a demanding position where things must be maintained and in pristine condition, ensuring service level agreements, etc,. it’s not without a doubt that anything other than defined hours is probably a scam. Always be vigilant, and remember, anyone can be scammed.

Remember earlier I was talking about my curiosity to fill out those interview questions? That’s where it starts. Curiosity. Anyone can fall into a clever scam, the second you put your pride out there, and claim that you know exactly how it works, so you CAN’T be scammed, THAT’S when you will let your guard down.

Always have a healthy dose of skepticism, and please never try to shame people who fall for things. It happens. Shaming victims only makes the process of healing more complicated, in addition to reinforcing the idea that you’re an “idiot” if you fall for these things.

If there’s anything I learned from lures and scams in a game called Runescape, it’s that, some scams are actually the “antiscams”, and that there can be a lot of depth, more than meets the surface. It’s sort of like sleight of hand and misdirection. Nobody is an idiot for falling into the trap where the art of social engineering is used on the human mind. It happens. We are social creatures of habit. Scamming can be considered an art for a reason. I think it’s fair to say we can admit there are clever tactics, and all the more reason to stay vigilent and not let our emotions get in the way.

Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *