500 million LinkedIn users for sale. ESET warns about data exposure and alerts about a phishing campaign that targets LinkedIn professionals and uses fake job offers as a lure.
500 million LinkedIn users for sale
Similar to what happened days ago with the Facebook case and the disclosure of personal data of 533 million users in hacking forums, ESET warns about the marketing in this kind of forums, data of 500 million LinkedIn users.
The information is being offered through four files and includes full names, gender, email address, phone number, workplace and job description data, links to LinkedIn profiles, and also to other social networks.
Moreover, a sample file is being offered in exchange for $2 in credits within the forum. This sample contains the data of two million users, but apparently to get the full information the minimum price exceeds 1000. Although the actor marketing the data claims that it was extracted from LinkedIn, it is unknown whether the data is up to date or not, or whether it was obtained from previous breaches suffered by the social network.
“As we said this week when the Facebook data disclosure became known, this information can be used by malicious actors to perform social engineering attacks. For example, personalized phishing emails that include specific data of the potential victim to convince them that it is legitimate, to impersonate the victim’s identity, and try to trick their contacts by creating cloned accounts. In this sense, using phone numbers they could also send SMS messages, communicate via WhatsApp or carry out telephone scams”, explained Josep Albors, ESET specialist.
A phishing campaign targeting LinkedIn professionals and using fake job offers as a lure was recently alerted. The fake message includes a malicious ZIP file and attempts to convince potential victims to open it to finally download the more eggs backdoor, created by Golden Chickens, onto the victim’s computer. This same backdoor has been distributed in the past year by APT groups such as Evilnum in attacks targeting financial companies.
The use of LinkedIn by criminals to contact their victims is not new. Last year ESET alerted how other espionage groups launched attacks on military and aerospace companies using social engineering via LinkedIn. “Therefore, this type of information can be of value to different criminal profiles, some more sophisticated, but mostly to fraudsters. Using unique passwords for each account, multi-factor authentication, and good security software, such as ESET, will help you protect yourself. And, if you can’t remember passwords or create unique and complex passwords, consider a password manager,” adds Tony Anscombe, Chief Security Evangelist at ESET.