Speaking to crypto reporting website The Block on condition of anonymity, two inside sources at Sky Mavis claim that the company’s record-breaking Ronin Bridge crypto theft in March stemmed from a bogus job offer made to one of the company’s senior engineers.
The attack has previously been linked to state-sponsored actors in North Korea. If this additional information is true, the senior engineer was targeted on LinkedIn and baited into an elaborate fake job posting that involved multiple rounds of mock interviews.
$625M Crypto Theft Theory Highlights Danger of Job Portal Attacks
The fake job offer has not been confirmed by Sky Maven (and will likely not be commented on). Nonetheless, the story illustrates the real risks to organizations presented by LinkedIn and similar job portals.
The compromised Ronin network served as an Ethereum bridge to the popular NFT-based game Axie Infinity. Sources say LinkedIn recruiters have started approaching several Sky Maven staff members with job offers, encouraging them to submit applications. Those who did were subjected to an elaborate scheme that would involve multiple fake job interviews if the target continued in the pipeline.
The companies involved were entirely fictitious and lured Sky Maven staff with promises of “extremely generous” pay. The engineer who responded to the fake job posting eventually received a PDF file containing malware claiming to be documents related to the job acceptance. This malware gave the attackers access to four of the five validating nodes needed to control the network and perform crypto theft.
The fifth validation node was obtained through a previously reported method involving Axie Infinity. Towards the end of 2021, Sky Maven created temporary admin accounts with high-level access to facilitate a sudden influx of interest in the game and new user sign-ups. Sky Maven called it the Axie Decentralized Autonomous Organization (DAO), a temporary project that was to be discontinued in December 2021 after the workload decreased.
However, these accounts were still active and retained their permissions to allow certain types of transactions. The hackers used their new access to the Sky Maven network to gain access to these accounts and take control of a fifth validator node that Axie DAO had access to.
This isn’t the first time North Korea’s “Lazarus” hacking group has been spotted using fake job offers to approach targets. A 2020 campaign called “Operation In(ter)ception” was linked to the state-sponsored group, targeting numerous countries around the world with malware attached to job postings made via LinkedIn, Slack and WhatsApp. The group launched another campaign of this nature in the fall of 2021, ending this one in March during the general Axie Infinity crypto theft period. In both cases, these campaigns aimed to steal funds once the networks were hacked.
Sky Maven has since increased its number of validator nodes to 11 and said it plans to eventually onboard over 100. It also said it will refund customers who lost money due to theft. of crypto, and introduced a bug bounty program with rewards of up to $1 million.
Fake job postings are a powerful social engineering lure
Lazarus is unusual in that it is a state-sponsored hacking group whose main mission is to raise funds for its reclusive and highly sanctioned country; players in the fake jobs game are usually less sophisticated con artists looking to make a quick buck. It’s a very popular avenue of attack, however, with security firm Egress reporting a 232% peak in LinkedIn scam attempts in recent months. And it’s one that more sophisticated attackers will at least consider when planning spear-phishing campaigns, given that the right offer is quite capable of lowering your guard.
Attackers can fabricate a company entirely, as happened with the Axie crypto theft case, or they can create a “look-alike” of an existing company by slightly altering official names and using their logos and designs known communications. The purpose of these fake job postings is usually to harvest LinkedIn or Google login credentials by directing the victim to a legitimate-looking phishing page; the account can then be used to scam contacts and the credentials will almost certainly be tried against other sites to see if they are reused. More sophisticated attackers can do what the Axie crypto theft attackers did and transmit a PDF containing malware or spyware in an attempt to gain access to the target’s systems.
LinkedIn has also had vulnerabilities in its design that have been directly exploited to facilitate fake job postings. A famous example comes from 2019, when a bug appeared that allowed any user to post a job posting which would then appear on a related company’s business listing page. The list would appear genuine, but the attacker could place links attached to the “apply” button that would redirect to any external website (including, potentially, the attack sites). A Mashable report says unethical recruiters exploited this loophole for an extended period, even as LinkedIn users complained to the company about misdirection.
Danny Lopez, CEO of glass wall, sees all of this as a further call for organizations to bolster the vulnerable human element with more advanced automated defenses: “This is a perfect example of the risks of file-based threats and the ease with which hackers can infiltrate your systems via documents shared externally and internally. You can never be too careful – no matter how legitimate something looks on the surface, it can harbor malicious code. Taking a proactive approach to cybersecurity is far more effective cost-effective than relying on a reactive approach and simply responding to an attack that has already taken over your system.Content Disarm and Reconstruction (CDR) technology is an example of a proactive approach that provides immediate protection when a threat enters the computing environment. All files go through an instant four-step process to ensure that it is Every document is completely secure by removing any potentially malicious code… A simple and proactive solution like CDR is so valuable because it helps create a digital environment where a threat cannot exist.