From Interviews to Infections: The Dangerous Trend of Cybercriminals in Job Recruitment
Background: Over the years, the tactics, techniques, and procedures (TTPs) of attackers have evolved significantly. Recently, APT groups have used new methods that have also been adopted by average hackers and smaller groups. In this article, I will explore potential scenarios in which you, as a victim, could be targeted by these threat actors.
Motivation of Threat Actors: As a victim, you can be targeted for two main reasons: either you are currently an employee of a company that is of interest to threat actors, or you are one of the many victims they have identified as part of a broader scheme. Based on these goals, the key points are:
- Extract financial resources and steal your funds.
- Gain access to the infrastructure where you are employed.
- Steal sensitive data related your current position
Scenarious:
- An attacker creates a fake company on social media and reaches out to you with a job offer that includes a lucrative salary. Shortly after, to proceed with the technical interview, they ask you to run a script that contains hidden code responsible for gaining access to your machine. This malicious code may also be designed for data exfiltration from your system.
- The attacker infects a legitimate company's email system and reaches out to victims using the name of someone in the HR department, offering them a job. As part of this process, they request a technical interview and provide a script that the victim is instructed to prepare and run.
- A fake persona provides what appears to be clean source code, which includes a backend component. However, the database is hosted remotely. To pass the technical test, the victim is instructed to run the code on their machine and register on the platform via a local UI. If the victim enters their password for the platform, the attacker captures it in plain text and stores it in their remote database. This information can then be used to execute a "password spraying" attack against the victim.
- The attacker sends a job offer that includes a link to a webpage containing a zero-day exploit for the victim's browser. As a result, the victim's machine becomes infected simply by navigating to the page.
Prevention steps: - Always ask the interviewer to turn on their camera. While this is a safety measure, it is also an important ethical step. - Open any link in isolated environment like [ hyper-v and sandboxes ] - Run scripts in an isolated environment and avoid uploading them to VirusTotal. While the code may appear legitimate, your job offer could also be genuine. Keep in mind that files uploaded to VirusTotal can sometimes be downloaded by other users on the platform. - Always verify the email address of the person who sent you the job offer or is associated with the company, especially in the event of an email leak. - Check for the existence of a DMARC value in the email record. If it is absent, proceed with caution to protect yourself from potential spoofing attacks. - Before run the script check existence of unknown binary and base64 encoded string in whole source code . - Never use the same password during registration to new/unknown page - Always do background checking of the company who had offered job and check their domain creation date .
Conclusion: In an increasingly digital world, job seekers must remain vigilant against the evolving tactics of threat actors. As attackers refine their methods, understanding the potential risks and scenarios is crucial for safeguarding personal and professional information. By implementing the prevention steps outlined above, you can significantly reduce your vulnerability to these sophisticated attacks. Always prioritize security and due diligence in your job search process, as these practices not only protect you from immediate threats but also contribute to a safer online environment for everyone. Stay informed and cautious, and remember that vigilance is your best defense against cyber threats.
STAY SAFE ! J0k3R