Summary:
LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork." These bots create fake accounts to scam users, posing as helpful recruiters or connections. The impact ranges from nuisance-level spam to significant security risks.

Bots are rampant across various industries, including advertising, social media, and even job searching. On LinkedIn, bots often flood posts with spam links or connection requests immediately after users announce they are open to work. While these bots may seem benign, they often serve as entry points for more sophisticated scams. The use of hashtags like "#opentowork" amplifies this issue, with bots zeroing in on vulnerable users. Even recruiters have fallen victim to these waves of spam, sometimes reconsidering the use of these hashtags altogether. Bots typically aim to create connections with job seekers to appear more authentic and difficult to detect. By stealing real identities—using names and photos of actual people—these fake profiles blend in with legitimate LinkedIn users, making them harder to report or ban. LinkedIn has taken action against such accounts, but its anti-fraud algorithms require constant updates to avoid false positives, which can sometimes lead to legitimate users being mistakenly banned.

While bots are an inconvenient, but predictable threat, a more insidious form of attack comes through personalized phishing attempts via LinkedIn's premium InMail feature. Scammers pay for premium accounts, allowing them to send direct messages to users outside their network. These messages are carefully crafted to appear as legitimate job opportunities, tailored to a user's specific job profile. For example, a scammer using the alias "Kay Poppe," purportedly an Amazon Web Services recruiter, sent a message offering a job opportunity. However, the profile appeared suspicious, with an AI-generated photo and a name resembling a pop-culture reference, which raised concerns. The message contained a shortened link, which led the victim to a phishing page masquerading as a LinkedIn document-sharing platform. Instead of legitimate job information, the page was designed to steal Google credentials using the Rockstar2FA phishing toolkit. Even users with two-factor authentication (2FA) can be tricked into entering their verification codes into these fake pages.

Security Officer Comments:
Phishing attacks on LinkedIn don't just target individuals—there can be significant risks for organizations as well. Compromised accounts, especially those of employees at large companies, can provide cybercriminals with an entry point to broader corporate networks. For instance, attackers may leverage compromised LinkedIn profiles to gain sensitive company data, facilitate business email compromise (BEC) scams, or spread malware. Job seekers, especially those eager to regain employment, are prime targets for these types of scams. In many cases, scammers use tactics like advance-fee fraud, where victims are asked to pay an upfront fee for fake services or job offers. In more dangerous scenarios, some fake job listings can involve criminal activities like money laundering, where the victim unknowingly becomes part of illegal schemes.

Suggested Corrections:
LinkedIn users need to be cautious of unsolicited messages, especially those from unknown individuals offering jobs or connections. Suspicion should be raised if messages contain job offers that seem too good to be true or include suspicious links. Users are also advised to avoid using hashtags that may attract bots, like "#opentowork," or carefully monitor engagement when these terms are used. To further protect themselves, users can adopt new security measures like passkeys, a more secure form of authentication that relies on public-private key exchange rather than traditional passwords. Passkeys are less vulnerable to phishing attacks and are recommended for added protection.

Link(s):
https://www.malwarebytes.com/blog/news/2024/10/linkedin-bots-and-spear-phishers-target-job-seekers