#CITRIO SCAM BROWSER ARCHIVE#
The download links on the web page lead to a ZIP archive containing the infostealer.
The web user interface of the site uses the well-known LinkedIn logo and poses as a recruitment company called “Jobsfinder 3ee,” which pretends to help the candidates find relevant jobs in various geographical regions around the world. URL: hxxps:///įigure 1: The main web page uses the LinkedIn logo but actually hosts the malicious content. In this blog, we provide a detailed description of the tools, techniques, and procedures of this threat actor and the malicious binaries hosted on this site, as well as the credential phishing methods used.įigure 1 below shows the site that was set up by attackers on a legitimate website hosting server provided by Yola.
Its major functionality is information stealing and exfiltrating data through SMTP. NET-based binaries hosted on this site are related to the Agent Tesla malware and another previously unseen in-the-wild malware family. The bad actors also used a legitimate site hosting company, called Yola, to host the malicious content in an attempt to further look legitimate. In August 2020, we observed network activity to a malicious site that used LinkedIn, a popular professional networking and job search site, as the lure for a social engineering scheme designed to steal a user’s credentials and spread malicious binaries. Sadly, this isn’t just a hypothetical scenario, as the Zscaler ThreatLabZ team observed a scheme just like this come across the Zscaler cloud. But that excitement can quickly turn to anger and despair when the job search tool you were using to help you land that dream job turned out to be a phishing attack that stole your identity.
Making the decision to leave your current job and seek employment elsewhere can be an exciting time as you imagine how much better your life and career will be when you find that dream job.
0 kommentar(er)
