Platforms such as LinkedIn offer professionals a useful place to network, look for work, and build business relationships in today’s connected world. But with the advent of Web3 technologies and the ongoing evolution of the digital landscape, scams aimed at LinkedIn users are getting more complex and widespread…
So, today, me and Ustas.eth will tell you about one of the various scams you may encounter while looking for job at LinkedIn! This article also aims to shed light on the recent LinkedIn scams and provide essential tips to help you stay protected in this new era of decentralized applications and smart contracts.
Scammers first have a brief conversation about the project before sending a link to an archive of a repository:
Because job scams are usually more simple and hackers usually just send a malicious exe file, the victim usually does not suspect anything suspicious:
After receiving a file from the attacker and conducting a quick search of the public and source folders, “next.setup.js” proved to be one of the more intriguing files. It’s obfuscated:
Luckily (for us 😅) Ustas.eth had some experience with de-obfuscation before, so he beautified it via:
Unfortunately, it didn’t decode the strings, so Ustas.eth wrote a tiny script for this purpose, that’s the output:
From this point, we think the purpose of the file is pretty obvious. In order to trigger it, a dev has to install deps with yarn or npm, and run yarn start (for example):
sqlite3 child_process crypto exec request platform tmpdir homedir hostname type dirname get writeFileSync /client /.npl existsSync /store.node accessSync Default Profile /AppData/Local/Microsoft/Edge/User Data Windows_NT SELECT * FROM logins Local State aes-256-gcm origin_url username_value password_value CryptUnprotectData createDecipheriv readFile copyFile Login Data os_crypt encrypted_key Database latin1 U: W: P: unlink utf-8 filename multi_file formData url options value readdirSync statSync isDirectory /Library/Application Support/Google/Chrome /.config/google-chrome /AppData/Local/Google/Chrome/User Data /Library/Application Support/BraveSoftware/Brave-Browser /.config/BraveSoftware/Brave-Browser /AppData/Local/BraveSoftware/Brave-Browser/User Data /Library/Application Support/com.operasoftware.Opera /.config/opera /AppData/Roaming/Opera Software/Opera Stable/User Data Local Extension Settings .log .ldb solana_id.txt nkbihfbeogaeaoehlefnkodbefgpgknn ibnejdfjmmkpcnlpebklmnkoeoihofec ejbalbakoplchlghecdalmeeeajnimhm fhbohimaelbohpjbbldcngcnapndodjp bfnaelmomeimhlpmgjnjophhpkkoljpa hnfanknocfeofbddgcijnmhnfnkdnaad fnjhmkhhmkbjkkabndcnnogagogbneec aeachknmefphepccionboohckonoeemg hifafgmccdpekplomjjkcfgodnhcellj createReadStream /uploads /.config/solana/id.json /keys python p.zi /pdown renameSync rename rmSync tar -xf curl -Lo \.pyp\python.exe p2.zip /node/ path post ������輼♦️�̸������ U↓X[N
It’s also possible that it’s downloading something else via python, as there’s a p2.zip name (see above).
This, in our opinion, looks quite similar to this attack that Lazarus Group is currently running, but this time the quality of the attack was lower, the script starts collecting data directly, without a loader:
We have reported this incident to the support team and hope that appropriate action will be taken:
Scammers’ attempts to take advantage of unsuspecting users have grown more crafty as Web3 technologies gain traction. LinkedIn is one such site where fraudulent activity has increased.
We also promised to talk about recent LinkedIn scams and offer helpful advice on how to avoid falling victim to these kinds of attacks in this article…
Below, I would also like to make a gallery of tips that you could explore in your spare time and increase your level of security. The idiom “Forewarned is forearmed” has never yet, in my memory, misfired:
Ask everyone who writes to you to upload files in preview mode. Use a separate device for work and try to use a device with QubesOS!
Use sandboxing — like sanboxie and VM.
While you may be wary of third parties trying to steal your information, you should also watch out for insider threats, such as negligent employees and disgruntled workers.
We recommend that you follow these 25 rules to safeguard yourself from scammers!
The main goal is to convert a possibly infected PDF to pixels and vice versa. Even with all of the above, always work from a separate computer and virtual machine & sandbox!
Scammers often create fake LinkedIn profiles to establish a false sense of trust. Here are some indicators to look out for:
Incomplete or poorly written profiles: Genuine professionals usually have detailed and polished profiles.
Inconsistent or stolen profile pictures.
Limited connections and lack of endorsements or recommendations.
Profiles with generic job titles and ambiguous descriptions.
Profiles that claim to work for well-known companies, but lack verification.
Many LinkedIn scams involve fake job offers or investment opportunities. Protect yourself by:
Being skeptical of jobs that offer unrealistic salaries or promise easy money for minimal effort.
Researching the company and the recruiter independently before providing any personal information or making financial transactions.
Verifying job offers by directly contacting the company’s official email or phone number, rather than trusting details provided on LinkedIn.
While LinkedIn remains a vital platform for professional networking, it’s crucial to remain vigilant against potential scams. Key strategies to guard against LinkedIn scams include recognizing fake profiles, spotting phishing attempts, being wary of connection requests, being skeptical of job offers, and strengthening account security.
By following these tips, you can navigate the platform safely, allowing you to focus on building meaningful professional relationships!
As we navigate the Web3 era, it is crucial to adapt to the evolving threat landscape and protect ourselves from LinkedIn scams. By understanding the risks, recognizing the various types of scams, and implementing the suggested tips, you can fortify your defenses and maintain a secure online presence:
As a digital nomad, owning cryptocurrency offers mobility, flexibility, and financial independence, but it also introduces significant security risks. By implementing the suggested measures and utilizing recommended devices, digital nomads can mitigate these risks and ensure the safety of their cryptocurrency holdings and personal information.
Furthermore, embracing Web3 innovations that offer enhanced security can provide additional layers of protection, facilitating safer interactions within professional networks. By working together, we can strengthen the digital ecosystem and move toward a time when fewer scams occur and genuine connections on sites like LinkedIn are able to grow!