Wanted to pass along a warning that there has been a recent spike in spear phishing targeting job seekers on LinkedIn and perhaps other sites like Indeed. The fake job offers, many of which are aimed at technical people and developers, attempt to get the targets to give up personally identifiable information (PII) or install access trojans like More_Eggs in the form of an “offer package.” The motivation appears to be access-for-hire–where access to compromised systems is sold to others for use in subsequent campaigns.
The scammers are posing as companies using combinations of gmail accounts and in some cases look-alike domains (examplecareers.com instead of example.com.) They’re further using real names of company employees obtained from public websites and LinkedIn profiles.
Messages include weird wording (note the “no right answers” instead of “no wrong answers:”)
Please find attached the Screening test/Interview Questions for the Screening/Interview process. Keep in mind that there are no ‘right answers’.
They also try to create urgency with time limits so targets don’t think and click:
You are required to email back your answers to me within the next 90 minutes.
You will be receiving your Employment Offer Letter from HR via e-mail to sign tomorrow. Our aim is for you to start training as soon as possible. You are to immediately forward the following information to enable the HR secretary register you and prepare your offer letter
Because these attacks are targeting out-of-work professionals with personalized and compelling campaigns, user education has to come through non-work channels such as professional organizations, or reaching out to friends whom you know to be job hunting. That’s also why I’m posting here.
We have seen a number of different companies impersonated over the last week and not just major names like Microsoft or Amazon but small and medium sized tech companies as well. The attackers are choosing companies geographically close to their targets for name recognition and legitimacy.
Watch out for red flags if you’re job seeking:
Unusual grammar and wording choice in professional emails.
Statements that create very short term urgency.
Changing addresses/domains between subsequent contact.
Use of free webmail services by the “HR” people or use of domains different from their primary site domain.
When it doubt call the company using a known good number found on their website to confirm you’re interacting with real people. Do not trust phone numbers in email signatures.
Mods, I hope this is OK… CS job seekers are one of the main target demographics.