Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   FIN6 hackers pose as job seekers to backdoor recruiters’ devices (http://txgate.io:443/showthread.php?t=51301210)

Artifact 06-10-2025 07:37 PM
<div id="post_message_796666">

In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware.<br/>
<br/>
FIN6 (aka "Skeleton Spider") is a hacking group that was initially known for conducting financial fraud, including compromising point-of-sale (PoS) systems to steal credit cards. However, in 2019, the threat actors <a href="https://www.bleepingcomputer.com/news/security/fin6-group-diversifies-activity-uses-lockergoga-and-ryuk-ransomware/" target="_blank">expanded into ransomware attacks</a>, joining existing operations like Ryuk and Lockergoga.<br/>
<br/>
The group has recently used social engineering campaigns to deliver '<a href="https://www.bleepingcomputer.com/news/security/evilnum-hackers-use-the-same-malware-supplier-as-fin6-cobalt/" target="_blank">More Eggs</a>,' a malware-as-a-service JavaScript backdoor used for credential theft, system access, and ransomware deployment.<br/>
<br/>
<b><font size="4"><b><font color="White">Attack process</font></b></font></b><br/>
<br/>
In a <a href="https://dti.domaintools.com/Skeleton-Spider-Trusted-Cloud-Malware-Delivery/" target="_blank">new report by DomainTools</a>, researchers detail how FIN6 is switching up the typical employment scam by impersonating job seekers to target recruiters rather than posing as recruiters to lure job applicants.<br/>
<br/>
Hiding behind fake job seeker personas, they approach recruiters and HR departments via messages on LinkedIn and Indeed, where they build rapport before they follow up with phishing emails.<br/>
<br/>
These emails, which are professionally crafted, contain non-clickable URLs to their "resume sites" to evade detection and blocking, forcing the recipients to type them on their browsers manually.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/email.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Email sent to targets. Source: DomainTools

</td>
</tr>
</table>
</div>The domains, which are registered anonymously through GoDaddy, are hosted in AWS, a trusted cloud service that is not commonly flagged by security tools.<br/>
<br/>
Examples of domains used by FIN6 in this campaign are listed below, named after the fake personas used for the attacks: <ul><li>bobbyweisman[.]com</li>
</ul><ul><li>emersonkelly[.]com</li>
</ul><ul><li>davidlesnick[.]com</li>
</ul><ul><li>kimberlykamara[.]com</li>
</ul><ul><li>annalanyi[.]com</li>
</ul><ul><li>bobbybradley[.]net</li>
</ul><ul><li>malenebutler[.]com</li>
</ul><ul><li>lorinash[.]com</li>
</ul><ul><li>alanpower[.]net</li>
</ul><ul><li>edwarddhall[.]com</li>
</ul>FIN6 has also added environmental fingerprinting and behavioral checks to ensure that only their targets can open the landing pages containing their professional portfolio.<br/>
<br/>
VPN or cloud connections and attempts to visit from Linux or macOS are blocked and instead serve innocuous content.<br/>
<br/>
Qualified victims get a fake CAPTCHA step before they are prompted to download a ZIP archive allegedly containing a resume but actually contains a disguised Windows shortcut file (LNK) that executes a script to download the "More Eggs" backdoor.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/site.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

CAPTCHA step on the landing page. Source: DomainTools

</td>
</tr>
</table>
</div>More Eggs, created by a threat actor called "Venom Spider," is a modular backdoor capable of command execution, credential theft, delivery of additional payloads, and PowerShell execution.<br/>
<br/>
FIN6's attack is simple yet very effective, relying on social engineering and advanced evasion.<br/>
<br/>
Recruiters and human resources employees should approach invites to review resumes and portfolios with caution, especially if they request you visit an external site to download a resume.<br/>
<br/>
Companies and recruiting agencies should also try to independently confirm a person's identity by contacting their references or people at companies they list as current/former employers before engaging further.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-seekers-to-backdoor-recruiters-devices/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 01:13 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.