Job hunters should be on their guard.
A Vietnamese cybercrime gang is being blamed for a malware campaign that has seen bogus adverts posted on LinkedIn, pretending to be related to jobs at computer memory and gaming accessories firm Corsair.
The attack has mostly targeted individuals based in the United States, United Kingdom, and India, who already hold social media management roles. By claiming to be hiring a Facebook Ads specialist at Corsair, the criminals behind the attack are spreading the DarkGate malware onto the PCs of unsuspecting victims.
The malicious posts and direct messages on LinkedIn point jobseekers to a password-protected ZIP archive.
The archive, once unzipped, can contain the following files:
- Job Description of Corsair.docx
- Salary and new products.txt
- PDF Salary and Products.pdf
A malicious script downloads more code from the internet, and 30 seconds after installation attempts to uninstall security products on the victim's PC.
The primary goal of the DarkGate attack appears to be to seize high-level access to the Facebook accounts of businesses, opening the door for cybercriminals to exploit the account by publishing ad campaigns on the social network.
Users of Facebook Business accounts can be assigned either "partial access" or "full control". Users with "full control" can enable access to financial information for the account, including transactions, invoices, account spend and payment methods.
Last year, the same Vietnamese cybercrime gang was reported to have stolen up to $600,000 of advertising credits from hijacked Facebook Business accounts, in a hacking operation dubbed "Ducktail".
The ongoing targeting of social media managers underlines the importance of ensuring that all staff are properly trained about the risks of opening suspicious files, and hunting for new job opportunities on your existing employer's computers.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.