Spearphishing: it can happen to you tooRead time in minutes: 4
For some reason, LinkedIn has become the de-facto social network for professionals. It is viewed as a powerful networking and marketing site that lets professionals communicate, find new opportunities and source talent at eye-watering speed and rates. However, at the same time this also means that LinkedIn becomes a treasure trove of data to enable spearphising attacks.
Let's consider this attack against popular "play to earn" game Axie Infinity. The attackers had PDF based malware that allowed them to get access to a target computer, so they needed someone to open a PDF to trigger the exploit chain that let them gain a foothold. But they specifically wanted people that likely had access to the crypto wallets that enable control of the blockchain. LinkedIn let them filter by employees at the company behind Axie Infinity that were developers and likely started spearphishing by role and seniority. The details of the attack spell out that the attackers had set up a whole fake interview process to convince the marks that the process was legitimate and they put the malware in the offer letter. The attackers later gained access to the validator wallets and then they were able to make off with over half a billion dollars worth of cryptocurrency.
The malware was in the offer letter. This is the kind of social engineering attack that I bet any one of you reading this article could fall for. Hell, I'd probably fall for this. This may be the wrong kind of take to have, but I'm really starting to wonder if using LinkedIn so much is actually bad for security. It's not just recruiters reading through LinkedIn anymore, it's also threat actors that are trying to break in and do God knows what. Maybe we as an industry should stop feeding all of that data into LinkedIn. Not only would it give you less recruiter spam, maybe it'll make spearphishing attacks more difficult too.
Either way, I may end up getting a disposable machine for dealing with reading PDFs from unknown sources in the future. I could use a virtual machine for this, but if my threat model includes PDFs having exploits in them then I probably can't trust a virtual machine to be a reasonable security barrier. I don't know. It sucks that we can't trust people anymore.
I kinda wish we could.