Article Details

Hire me! To drop malware on your computer. FIN6 moves from point-of-sale compromise to phishing recruiters. In a scam that flips the script on fake IT worker schemes, cybercriminals posing as job seekers on LinkedIn and Indeed are targeting recruiters - a group hated only slightly less than digital crooks - with malware hosted on phony resume portfolio sites. The gang behind the con is FIN6 (aka Skeleton Spider), a financially motivated crew that has moved on from stealing credit card data and compromising point-of-sale systems and into social engineering campaigns like this one.  In their latest campaign, the criminals initiate contact with recruiters on these job-seeking websites, then direct them to fake portfolio sites hosted on Amazon Web Services that trick targets into downloading a malicious ZIP file delivering More_eggs, a modular JavaScript-based backdoor offered as malware-as-a-service, according to threat-intel firm DomainTools, which spotted this scam and published a whole list of indicators of compromise on GitHub.  More_eggs malware enables the crooks to remotely execute commands, steal victims' credentials, and deliver additional payloads to compromised computers. It operates in memory, which makes it more difficult to detect. After first initiating contact with recruiters on LinkedIn and Indeed, the fraudsters follow up with a phishing email from a fake job applicant that directs the recruiter to an online "portfolio" that mimics a legitimate job seeker's website using their name, for example: "bobbyweisman[.]com."  Notably, the domain in the phishing email isn't hyperlinked, which allows it to bypass automated link detection and other security features, and forces the recipient to type the URL into their browser. The crooks typically register these domains anonymously through GoDaddy, making the sites harder to flag as malicious. "By exploiting GoDaddy's domain privacy services, FIN6 further shields the true registrant details from public view and takedown teams," the researchers said. FIN6 hosts its fake personal portfolio websites on AWS infrastructure, and typically asks the visitor to complete a CAPTCHA - along with other environmental checks designed to ensure the visitor is a human user and not an automated scanner or web crawler - before downloading a malicious ZIP file containing the malware. The ZIP contains a .LNK (Windows shortcut) file that runs a hidden JavaScript payload using wscript.exe. This script connects to the attackers' command-and-control server to retrieve and execute the More_eggs backdoor. "FIN6's Skeleton Spider campaign shows how effective low-complexity phishing campaigns can be when paired with cloud infrastructure and advanced evasion," the researchers wrote. "By using realistic job lures, bypassing scanners, and hiding malware behind CAPTCHA walls, they stay ahead of many detection tools." To ward off the influx of comments: we're only kidding about the much-hated-recruiters comment. Despite doing things like calling for candidates with impossible years of experience and discounting real skill levels, we know recruiters have a job to do, too. And, apparently, if this malware-delivery campaign is any indication, they are real people - not robots.