Protecting Yourself from LinkedIn Scams: How to Stay Safe in the Web3 Era

Platforms such as LinkedIn offer professionals a useful place to network, look for work, and build business relationships in today’s connected world. But with the advent of Web3 technologies and the ongoing evolution of the digital landscape, scams aimed at LinkedIn users are getting more complex and widespread…

Authors:  Ustas.eth ;  Officercia.eth

So, today,  me  and  Ustas.eth  will tell you about one of the various scams you may encounter while looking for job at LinkedIn! This article also aims to shed light on the recent LinkedIn scams and provide essential tips to  help  you stay protected in this new era of decentralized applications and smart contracts.

Photo by  Gabriel Varaljay  on  Unsplash

Let’s get started!

LinkedIn Scam Flow

Scammers first have a brief conversation about the project before sending a link to an archive of a repository:

Because job scams are usually more simple and hackers usually just send a malicious exe file, the victim usually does not suspect anything suspicious:

After receiving a file from the attacker and conducting a quick search of the public and source folders, “next.setup.js” proved to be one of the more intriguing files. It’s obfuscated:

Luckily (for us 😅)  Ustas.eth  had some experience with de-obfuscation before, so he beautified it via:

Unfortunately, it didn’t decode the strings, so  Ustas.eth  wrote a tiny script for this purpose, that’s the output:

From this point, we think the purpose of the file is pretty obvious. In order to trigger it, a dev has to install deps with yarn or npm, and run yarn start (for example):

sqlite3 child_process crypto exec request platform tmpdir homedir hostname type dirname get writeFileSync /client /.npl existsSync /store.node accessSync Default Profile /AppData/Local/Microsoft/Edge/User Data Windows_NT SELECT * FROM logins Local State aes-256-gcm origin_url username_value password_value CryptUnprotectData createDecipheriv readFile copyFile Login Data os_crypt encrypted_key Database latin1 U: W: P: unlink utf-8 filename multi_file formData url options value readdirSync statSync isDirectory /Library/Application Support/Google/Chrome /.config/google-chrome /AppData/Local/Google/Chrome/User Data /Library/Application Support/BraveSoftware/Brave-Browser /.config/BraveSoftware/Brave-Browser /AppData/Local/BraveSoftware/Brave-Browser/User Data /Library/Application Support/com.operasoftware.Opera /.config/opera /AppData/Roaming/Opera Software/Opera Stable/User Data Local Extension Settings .log .ldb solana_id.txt nkbihfbeogaeaoehlefnkodbefgpgknn ibnejdfjmmkpcnlpebklmnkoeoihofec ejbalbakoplchlghecdalmeeeajnimhm fhbohimaelbohpjbbldcngcnapndodjp bfnaelmomeimhlpmgjnjophhpkkoljpa hnfanknocfeofbddgcijnmhnfnkdnaad fnjhmkhhmkbjkkabndcnnogagogbneec aeachknmefphepccionboohckonoeemg hifafgmccdpekplomjjkcfgodnhcellj createReadStream /uploads /.config/solana/id.json /keys python p.zi /pdown renameSync rename rmSync tar -xf curl -Lo \.pyp\python.exe p2.zip /node/ path post ������輼♦️�̸������ U↓X[N

It’s also possible that it’s downloading something else via python, as there’s a p2.zip name (see above).

Here is a source file (do not install!):

• drive.google.com/file/d/1ONFrT9BHvtZVoTZEcVTodbQvNMmEuZj2/view?usp=sharing

This, in our opinion, looks quite similar to this attack that  Lazarus  Group is currently running, but this time the quality of the attack was lower, the script starts collecting data directly, without a loader:

We have reported this incident to the support team and hope that appropriate action will be taken:

Attacks Protections

Scammers’ attempts to take advantage of unsuspecting users have grown more crafty as Web3 technologies gain traction.  LinkedIn  is one such site where fraudulent activity has increased.

We also promised to talk about recent  LinkedIn  scams and offer helpful advice on how to avoid falling victim to these kinds of attacks in this article…

So, a few remarks regarding security:

If you work with files — use  dangerzone.rocks  or analogs like  Any.Run  or one of these:

• PayloadsAllThePDFs

• Entrusted

Below, I would also like to make a gallery of tips that you could explore in your spare time and increase your level of security. The idiom “Forewarned is forearmed” has never yet, in my memory, misfired:

• Ask everyone who writes to you to upload files in preview mode. Use a separate device for work and try to use a device with QubeOS!

• Use sandboxing — like  sanboxie  and VM.

• Strengthen  security of your Web3 wallet as well — install  web3antirus.io  right now!

• If you work a lot with files, particularly PDFs, you can use these protective  measures  or  dangerzone.rocks !

• While you may be wary of third parties trying to steal your information, you should also  watch out for insider threats , such as negligent employees and disgruntled workers.

• We recommend that you follow these  25 rules  to safeguard yourself from scammers!

The main  goal is to convert a possibly infected PDF to pixels and vice versa.  Even with all of the above, always work from a separate computer and virtual machine   sandbox !

Scammers often create fake LinkedIn profiles to establish a false sense of trust. Here are some indicators to look out for:

• Incomplete or poorly written profiles: Genuine professionals usually have detailed and polished profiles.

• Inconsistent or stolen profile pictures.

• Limited connections and lack of endorsements or recommendations.

• Profiles with generic job titles and ambiguous descriptions.

• Profiles that claim to work for well-known companies, but lack verification.

Many LinkedIn scams involve fake job offers or investment opportunities. Protect yourself by:

• Being skeptical of jobs that offer unrealistic salaries or promise easy money for minimal effort.

• Researching the company and the recruiter independently before providing any personal information or making financial transactions.

• Verifying job offers by directly contacting the company’s official email or phone number, rather than trusting details provided on LinkedIn.

While LinkedIn remains a vital platform for professional networking, it’s crucial to remain  vigilant  against potential scams. Key strategies to guard against LinkedIn scams include recognizing fake profiles, spotting phishing attempts, being wary of connection requests, being skeptical of job offers, and strengthening account security.

By following these tips, you can navigate the platform safely, allowing you to focus on building meaningful professional relationships!

Staying Safe In Web3

As we navigate the Web3 era, it is crucial to adapt to the evolving threat landscape and protect ourselves from  LinkedIn  scams. By understanding the risks, recognizing the various types of scams, and implementing the suggested tips, you can fortify your defenses and maintain a secure online presence:

As a digital nomad, owning cryptocurrency offers mobility,  flexibility , and financial independence, but it also introduces significant security risks. By implementing the suggested measures and utilizing recommended devices, digital nomads can  mitigate  these risks and ensure the safety of their cryptocurrency holdings and personal information.

Authors:  Ustas.eth ;  Officercia.eth

Furthermore, embracing Web3 innovations that offer enhanced security can provide additional layers of protection, facilitating safer interactions within professional networks. By working together, we can strengthen the digital ecosystem and move toward a time when fewer scams occur and genuine connections on sites like LinkedIn are able to grow!

Stay Safe!