www.tripwire.com
Open in
urlscan Pro
2606:4700::6812:eb0
Public Scan
URL:
https://www.tripwire.com/state-of-security/phony-job-vacancy-targets-linkedin-users-darkgate-malware
Submission: On October 27 via api from TR — Scanned from DE
Submission: On October 27 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
GET /search
<form action="/search" method="get" id="views-exposed-form-site-search-page-1" accept-charset="UTF-8">
<div class="form-row">
<fieldset class="js-form-item js-form-type-textfield form-type-textfield js-form-item-keys form-item-keys form-no-label form-group">
<label for="edit-keys" class="sr-only">Keywords</label>
<input data-bef-auto-submit-exclude="" placeholder="Search for keywords" data-drupal-selector="edit-keys" type="text" id="edit-keys" name="keys" value="" size="30" maxlength="128" class="form-text form-control">
</fieldset>
<fieldset class="js-form-item js-form-type-select form-type-select js-form-item-sort-bef-combine form-item-sort-bef-combine form-no-label form-group">
<label for="edit-sort-bef-combine" class="sr-only">Sort</label>
<select class="form-control form-select" data-drupal-selector="edit-sort-bef-combine" id="edit-sort-bef-combine" name="sort_bef_combine">
<option value="search_api_relevance_1_DESC">Best match</option>
<option value="published_at_DESC">Newest first</option>
<option value="published_at_ASC">Oldest first</option>
<option value="title_ASC">Title A-Z</option>
<option value="title_DESC">Title Z-A</option>
</select>
</fieldset>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-group" id="edit-actions"><input data-bef-auto-submit-click="" class="search-button button js-form-submit form-submit btn btn-primary form-control"
data-drupal-selector="edit-submit-site-search" type="submit" id="edit-submit-site-search" value="">
</div>
</div>
</form>Text Content
Cookie-Präferenzen
Phony job vacancy targets LinkedIn users with DarkGate malware | Tripwire Skip
to main content
English
English
* Email Us
* 800-328-1000
SECONDARY NAVIGATION
* Customer Portal
* Partner Portal
* GET A DEMO
* Products Toggle Dropdown
* Tripwire Enterprise
* Tripwire ExpertOps
* Tripwire IP360
* Tripwire LogCenter
* View All Products
* Solutions Toggle Dropdown
* Security Configuration Management
* File Integrity and Change Monitoring
* Vulnerability Management
* Cloud
* Compliance
* Industries
* Services
* Resources Toggle Dropdown
* Upcoming Events
* On-Demand Webinars
* Datasheets
* Case Studies
* Guides
* Training
* View all Resources
* Blog
* About Toggle Dropdown
* Careers
* Leadership
* Newsroom
* Partners
* Contact Us
Keywords Sort Best matchNewest firstOldest firstTitle A-ZTitle Z-A
1. Home
2. Blog
3. Phony Corsair job vacancy targets LinkedIn users with DarkGate malware
PHONY CORSAIR JOB VACANCY TARGETS LINKEDIN USERS WITH DARKGATE MALWARE
Posted on October 26, 2023
Image
Job hunters should be on their guard.
Researchers at security firm WithSecure have described how fake job
opportunities are being posted on LinkedIn with the intent of spreading malware.
A Vietnamese cybercrime gang is being blamed for a malware campaign that has
seen bogus adverts posted on LinkedIn, pretending to be related to jobs at
computer memory and gaming accessories firm Corsair.
The attack has mostly targeted individuals based in the United States, United
Kingdom, and India, who already hold social media management roles. By claiming
to be hiring a Facebook Ads specialist at Corsair, the criminals behind the
attack are spreading the DarkGate malware onto the PCs of unsuspecting victims.
The malicious posts and direct messages on LinkedIn point jobseekers to a
password-protected ZIP archive.
Image
The archive, once unzipped, can contain the following files:
* Job Description of Corsair.docx
* Salary and new products.txt
* PDF Salary and Products.pdf
Image
A malicious script downloads more code from the internet, and 30 seconds after
installation attempts to uninstall security products on the victim's PC.
The primary goal of the DarkGate attack appears to be to seize high-level access
to the Facebook accounts of businesses, opening the door for cybercriminals to
exploit the account by publishing ad campaigns on the social network.
Users of Facebook Business accounts can be assigned either "partial access" or
"full control". Users with "full control" can enable access to financial
information for the account, including transactions, invoices, account spend and
payment methods.
Last year, the same Vietnamese cybercrime gang was reported to have stolen up to
$600,000 of advertising credits from hijacked Facebook Business accounts, in a
hacking operation dubbed "Ducktail".
The ongoing targeting of social media managers underlines the importance of
ensuring that all staff are properly trained about the risks of opening
suspicious files, and hunting for new job opportunities on your existing
employer's computers.
--------------------------------------------------------------------------------
Editor’s Note: The opinions expressed in this guest author article are solely
those of the contributor, and do not necessarily reflect those of Tripwire.
GRAHAM CLULEY
Cybercrime Researcher and Blogger
View Profile
Related Solutions
Cybersecurity
Related Content
Blog
LinkedIn under attack, malicious hackers seize accounts
Blog
Job scams: How they persuade and how to protect yourself
Blog
Common Social Media Scams and How to Avoid Them
FOOTER MENU
PRODUCTS & SERVICES
* Tripwire Enterprise
* Tripwire IP360
* Tripwire LogCenter
* Tripwire ExpertOps
* Services
* View All Products
* Fortra Products
SOLUTIONS
* By Security Need
* By Compliance Need
* By Industry
RESOURCES
* Upcoming Events
* On-Demand Webinars
* Datasheets
* Training
* Request a Quote
* Start a Demo
ABOUT
* Fortra
* Patents
* Customer Support
* Report a Vulnerability
CONTACT INFORMATION
PRIVACY POLICY
COOKIE POLICY
IMPRESSUM
Copyright © Fortra, LLC and its group of companies. Fortra™, the Fortra™ logos,
and other identified marks are proprietary trademarks of Fortra, LLC.