Cadey is coffee
<Cadey> Hello! Thank you for visiting my website. You seem to be using an ad-blocker. I understand why you do this, but I'd really appreciate if it you would turn it off for my website. These ads help pay for running the website and are done by Ethical Ads. I do not receive detailed analytics on the ads and from what I understand neither does Ethical Ads. If you don't want to disable your ad blocker, please consider donating on Patreon or sending some extra cash to xeiaso.eth or 0xeA223Ca8968Ca59e0Bc79Ba331c2F6f636A3fB82. It helps fund the website's hosting bills and pay for the expensive technical editor that I use for my longer articles. Thanks and be well!

Spearphishing: it can happen to you too

Read time in minutes: 4

hero image the-fool
Image generated by MidJourney -- The Fool in a woodcut tarot card style

For some reason, LinkedIn has become the de-facto social network for professionals. It is viewed as a powerful networking and marketing site that lets professionals communicate, find new opportunities and source talent at eye-watering speed and rates. However, at the same time this also means that LinkedIn becomes a treasure trove of data to enable spearphising attacks.

Let's consider this attack against popular "play to earn" game Axie Infinity. The attackers had PDF based malware that allowed them to get access to a target computer, so they needed someone to open a PDF to trigger the exploit chain that let them gain a foothold. But they specifically wanted people that likely had access to the crypto wallets that enable control of the blockchain. LinkedIn let them filter by employees at the company behind Axie Infinity that were developers and likely started spearphishing by role and seniority. The details of the attack spell out that the attackers had set up a whole fake interview process to convince the marks that the process was legitimate and they put the malware in the offer letter. The attackers later gained access to the validator wallets and then they were able to make off with over half a billion dollars worth of cryptocurrency.

Numa is delet
<Numa> Maybe, just maybe you shouldn't store a majority of the keys required to validate something on the same computer. Especially if those keypairs control assets worth close to half a billion dollars. Holy heck.

The malware was in the offer letter. This is the kind of social engineering attack that I bet any one of you reading this article could fall for. Hell, I'd probably fall for this. This may be the wrong kind of take to have, but I'm really starting to wonder if using LinkedIn so much is actually bad for security. It's not just recruiters reading through LinkedIn anymore, it's also threat actors that are trying to break in and do God knows what. Maybe we as an industry should stop feeding all of that data into LinkedIn. Not only would it give you less recruiter spam, maybe it'll make spearphishing attacks more difficult too.

Cadey is coffee
<Cadey> Also, yes we can't trust PDFs anymore, especially after exploits like FORCEDENTRY became a thing.

Either way, I may end up getting a disposable machine for dealing with reading PDFs from unknown sources in the future. I could use a virtual machine for this, but if my threat model includes PDFs having exploits in them then I probably can't trust a virtual machine to be a reasonable security barrier. I don't know. It sucks that we can't trust people anymore.

I kinda wish we could.

Mara is hacker
<Mara> Fun fact: the tarot card "The Fool" doesn't actually imply idiocy in a malicious way. The major arcana of the tarot is a bunch of memes that describe the story of The Fool's journey through magick and learning how the world works. The Fool is not an idiot, The Fool is just someone that is unaware of the difficulties they are going to face in life and treats things optimistically. Think a free spirit as opposed to someone that is foolhardy (though foolhardiness is the meaning of The Fool when the card is inverted).

This article was posted on M07 09 2022. Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Tags: linkedin infosec

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZora Studios.

Some of the art for Aoi was drawn by @Sandra_Thomas01.