Platforms such as LinkedIn offer professionals a useful place to network, look for work, and build business relationships in today’s connected world. But with the advent of Web3 technologies and the ongoing evolution of the digital landscape, scams aimed at LinkedIn users are getting more complex and widespread…

Authors: Ustas.eth; Officercia.eth

So, today, me and Ustas.eth will tell you about one of the various scams you may encounter while looking for job at LinkedIn! This article also aims to shed light on the recent LinkedIn scams and provide essential tips to help you stay protected in this new era of decentralized applications and smart contracts.

Photo by Gabriel Varaljay on Unsplash

Let’s get started!

LinkedIn Scam Flow

Scammers first have a brief conversation about the project before sending a link to an archive of a repository:

Because job scams are usually more simple and hackers usually just send a malicious exe file, the victim usually does not suspect anything suspicious:

After receiving a file from the attacker and conducting a quick search of the public and source folders, “next.setup.js” proved to be one of the more intriguing files. It’s obfuscated:

Luckily (for us 😅) Ustas.eth had some experience with de-obfuscation before, so he beautified it via:

https://lelinhtinh.github.io/de4js/?source=post_page-----25e6b0566fa6--------------------------------

Unfortunately, it didn’t decode the strings, so Ustas.eth wrote a tiny script for this purpose, that’s the output:

From this point, we think the purpose of the file is pretty obvious. In order to trigger it, a dev has to install deps with yarn or npm, and run yarn start (for example):

sqlite3
child_process
crypto
exec
request
platform
tmpdir
homedir
hostname
type
dirname
get
writeFileSync
/client
/.npl
existsSync
/store.node
accessSync
Default
Profile
/AppData/Local/Microsoft/Edge/User Data
Windows_NT
SELECT * FROM logins
Local State
aes-256-gcm
origin_url
username_value
password_value
CryptUnprotectData
createDecipheriv
readFile
copyFile
Login Data
os_crypt
encrypted_key
Database
latin1
U:
W:
P:
unlink
utf-8
filename
multi_file
formData
url
options
value
readdirSync
statSync
isDirectory
/Library/Application Support/Google/Chrome
/.config/google-chrome
/AppData/Local/Google/Chrome/User Data
/Library/Application Support/BraveSoftware/Brave-Browser
/.config/BraveSoftware/Brave-Browser
/AppData/Local/BraveSoftware/Brave-Browser/User Data
/Library/Application Support/com.operasoftware.Opera
/.config/opera
/AppData/Roaming/Opera Software/Opera Stable/User Data
Local Extension Settings
.log
.ldb
solana_id.txt
nkbihfbeogaeaoehlefnkodbefgpgknn
ibnejdfjmmkpcnlpebklmnkoeoihofec
ejbalbakoplchlghecdalmeeeajnimhm
fhbohimaelbohpjbbldcngcnapndodjp
bfnaelmomeimhlpmgjnjophhpkkoljpa
hnfanknocfeofbddgcijnmhnfnkdnaad
fnjhmkhhmkbjkkabndcnnogagogbneec
aeachknmefphepccionboohckonoeemg
hifafgmccdpekplomjjkcfgodnhcellj
createReadStream
/uploads
/.config/solana/id.json
/keys
python
p.zi
/pdown
renameSync
rename
rmSync
tar -xf
curl -Lo
\.pyp\python.exe
p2.zip
/node/
path
post
������輼♦️�̸������
U↓X[N

It’s also possible that it’s downloading something else via python, as there’s a p2.zip name (see above).

Here is a source file (do not install!):

• drive.google.com/file/d/1ONFrT9BHvtZVoTZEcVTodbQvNMmEuZj2/view?usp=sharing

This, in our opinion, looks quite similar to this attack that Lazarus Group is currently running, but this time the quality of the attack was lower, the script starts collecting data directly, without a loader:

https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn?source=post_page-----25e6b0566fa6--------------------------------

We have reported this incident to the support team and hope that appropriate action will be taken:

Attacks & Protections

Scammers’ attempts to take advantage of unsuspecting users have grown more crafty as Web3 technologies gain traction. LinkedIn is one such site where fraudulent activity has increased.

We also promised to talk about recent LinkedIn scams and offer helpful advice on how to avoid falling victim to these kinds of attacks in this article…

So, a few remarks regarding security:

If you work with files — use dangerzone.rocks or analogs like Any.Run or one of these:

• PayloadsAllThePDFs

• Entrusted

Below, I would also like to make a gallery of tips that you could explore in your spare time and increase your level of security. The idiom “Forewarned is forearmed” has never yet, in my memory, misfired:

• Ask everyone who writes to you to upload files in preview mode. Use a separate device for work and try to use a device with QubesOS!

• Use sandboxing — like sanboxie and VM.

• Strengthen security of your Web3 wallet as well — install web3antivirus.io right now!

• If you work a lot with files, particularly PDFs, you can use these protective measures or dangerzone.rocks!

• While you may be wary of third parties trying to steal your information, you should also watch out for insider threats, such as negligent employees and disgruntled workers.

• We recommend that you follow these 25 rules to safeguard yourself from scammers!

The main goal is to convert a possibly infected PDF to pixels and vice versa. Even with all of the above, always work from a separate computer and virtual machine & sandbox!

Scammers often create fake LinkedIn profiles to establish a false sense of trust. Here are some indicators to look out for:

• Incomplete or poorly written profiles: Genuine professionals usually have detailed and polished profiles.

• Inconsistent or stolen profile pictures.

• Limited connections and lack of endorsements or recommendations.

• Profiles with generic job titles and ambiguous descriptions.

• Profiles that claim to work for well-known companies, but lack verification.

Many LinkedIn scams involve fake job offers or investment opportunities. Protect yourself by:

• Being skeptical of jobs that offer unrealistic salaries or promise easy money for minimal effort.

• Researching the company and the recruiter independently before providing any personal information or making financial transactions.

• Verifying job offers by directly contacting the company’s official email or phone number, rather than trusting details provided on LinkedIn.

While LinkedIn remains a vital platform for professional networking, it’s crucial to remain vigilant against potential scams. Key strategies to guard against LinkedIn scams include recognizing fake profiles, spotting phishing attempts, being wary of connection requests, being skeptical of job offers, and strengthening account security.

By following these tips, you can navigate the platform safely, allowing you to focus on building meaningful professional relationships!

Staying Safe In Web3

As we navigate the Web3 era, it is crucial to adapt to the evolving threat landscape and protect ourselves from LinkedIn scams. By understanding the risks, recognizing the various types of scams, and implementing the suggested tips, you can fortify your defenses and maintain a secure online presence:

https://officercia.mirror.xyz/p1ieZdxQWH4yHCNOXNPHyT8So1cY0X_wMGKwdmavi7s?source=post_page-----25e6b0566fa6--------------------------------

https://officercia.mirror.xyz/2i0q4SIWYbbTMnrnFOh7U7q0kFgH-4QXWQ8Dd_dAbDU?source=post_page-----25e6b0566fa6--------------------------------

As a digital nomad, owning cryptocurrency offers mobility, flexibility, and financial independence, but it also introduces significant security risks. By implementing the suggested measures and utilizing recommended devices, digital nomads can mitigate these risks and ensure the safety of their cryptocurrency holdings and personal information.

Authors: Ustas.eth; Officercia.eth

Furthermore, embracing Web3 innovations that offer enhanced security can provide additional layers of protection, facilitating safer interactions within professional networks. By working together, we can strengthen the digital ecosystem and move toward a time when fewer scams occur and genuine connections on sites like LinkedIn are able to grow!

Stay Safe!