Speaking to crypto reporting website The Block under condition of anonymity, two inside sources at Sky Mavis claim that the record-breaking crypto theft from the company’s Ronin bridge in March stems from a fake job offer made to one of the company’s senior engineers.
The attack has already been linked to state-sponsored actors in North Korea. If this additional information is true, the senior engineer was targeted on LinkedIn and baited into an elaborate fake job offer that involved several rounds of bogus interviews.
$625 million crypto theft theory highlights danger of job portal attacks
The fake job offer has not been confirmed by Sky Maven (and will likely not be commented on). Nevertheless, the story illustrates real risks to organizations presented by LinkedIn and similar job portal sites.
The compromised Ronin network served as an Ethereum bridge to the popular NFT-based game Axie Infinity. The sources say that LinkedIn recruiters began approaching multiple members of the Sky Maven staff with job openings, encouraging them to submit applications. Those that did were subject to an elaborate scheme that would involve multiple fake job interviews should the target continue down the pipeline.
The companies involved were entirely fictitious, and baited the Sky Maven staff with promises of “extremely generous” compensation packages. The engineer that bit on the fake job offer was eventually sent a malware-laced PDF file purporting to be papers related to acceptance of the job. This malware gave the attackers access to four out of the five validator nodes needed to control the network and execute the crypto theft.
The fifth validator node was obtained through a previously reported method involving Axie Infinity. Toward late 2021, Sky Maven set up temporary administrator accounts with high-level access to help facilitate a sudden influx of interest in the game and new users signing up. Sky Maven called this the Axie Decentralized Autonomous Organization (DAO), a temporary project that was supposed to be discontinued in December 2021 after the workload decreased.
However, these accounts were still active and retained their permissions to authorize certain types of transactions. The hackers used their newfound access to the Sky Maven network to get into these accounts and take control of a fifth validator node that Axie DAO had access to.
This is not the first time that North Korea’s “Lazarus” hacking group has been spotted using fake job offers to approach targets. A 2020 campaign called “Operation In(ter)ception” was tied to the state-sponsored group, targeting numerous countries throughout the world with malware attached to job offers made via LinkedIn, Slack and WhatsApp. The group started another campaign of this nature in the fall of 2021, winding that one up in March during the general time frame of the Axie Infinity crypto theft. In both cases, these campaigns sought to steal funds once networks were breached.
Sky Maven has since increased its number of validator nodes to 11, and said it eventually plans to incorporate over 100. It has also said that it will reimburse customers that lost money to the crypto theft, and has introduced a bug bounty program with rewards ranging up to $1 million.
Fake job offers are a powerful social engineering lure
Lazarus is unusual in being a state-sponsored hacking group that has a primary mission of securing funds for its reclusive and highly sanctioned country; the players in the fake job offer game are usually less sophisticated scammers looking to turn a quick buck. It is a very popular avenue of attack, however, with security firm Egress reporting a 232% spike in scam attempts on LinkedIn in recent months. And it is one that more sophisticated attackers will at least consider when they plot out spearphishing campaigns, given that the right offer is very capable of making people drop their guard.
Attackers may fabricate a company entirely, as happened with the Axie crypto theft case, or they may create a “lookalike” of an existing company by altering official names slightly and making use of their logos and known communications templates. The goal of these fake job offers is usually to harvest LinkedIn or Google login credentials by routing the victim to a legitimate-looking phishing page; the account may then be used to scam contacts and the credentials will almost certainly be tried against other sites to see if they are re-used. More sophisticated attackers may do what the Axie crypto theft attackers did and pass a PDF with malware or spyware in it in a bid to gain access to the target’s systems.
LinkedIn has also experienced vulnerabilities in its design that have been directly exploited to facilitate fake job offers. A famous example comes from 2019, when a bug appeared that allowed any user to post a job listing that would then appear on an associated company’s business listing page. The listing would appear to be authentic, but the attacker could place links attached to the “apply” button that would redirect to any external website (including, potentially, attack sites). A Mashable report indicates that unethical recruiters exploited this loophole for an extended period of time, even as LinkedIn users complained to the company about the misdirection.
Danny Lopez, CEO at Glasswall, sees all of this as yet another call for organizations to shore up the vulnerable human element with more advanced automated defenses: “This is a perfect example of the risks of file-based threats and how easy it is for hackers to infiltrate your systems through documents shared both externally and internally. You can never be too careful – no matter how legitimate something looks on the surface, it can harbor malicious code. Taking a proactive approach to cyber security is far more efficient and cost-effective than relying on a reactive approach and simply responding to an attack that has already gained control of your system. Content Disarm and Reconstruction (CDR) technology is an example of a proactive approach that provides immediate protection as a threat enters the IT environment. All files undergo an instant, four-step process to ensure that every document is completely safe by removing any potentially malicious code … A simple, proactive solution like CDR is so valuable because it helps to create a digital environment where a threat cannot exist.”