FIN6's Innovative Phishing Tactics: A New Threat to Recruiters

FIN6's Innovative Phishing Tactics: A New Threat to Recruiters

Alex Cipher's Profile Pictire Alex Cipher 5 min read

The FIN6 hacking group, also known as “Skeleton Spider,” has innovatively turned the tables on traditional phishing tactics by posing as job seekers to infiltrate organizations. This approach targets recruiters and HR departments directly, leveraging professional networking sites like LinkedIn and Indeed to establish initial contact. By crafting convincing job seeker personas, FIN6 sets the stage for sophisticated phishing attempts that include professionally designed resumes and links to seemingly legitimate portfolio sites. These tactics are designed to bypass security measures and exploit the trust placed in reputable platforms like Amazon Web Services (BleepingComputer, DomainTools).

FIN6’s Social Engineering Tactics

Impersonation of Job Seekers

The FIN6 hacking group, also known as “Skeleton Spider,” has adopted a novel approach to infiltrate organizations by impersonating job seekers. This tactic is a departure from traditional methods where attackers pose as recruiters to lure job applicants. Instead, FIN6 targets recruiters and human resources departments directly. They craft fake job seeker personas and approach recruiters via professional networking sites like LinkedIn and Indeed. By building rapport through initial messages, they set the stage for subsequent phishing attempts. These phishing emails are designed to appear legitimate, often containing professionally crafted resumes and links to external sites purportedly hosting the applicant’s portfolio. The URLs are non-clickable, requiring recipients to manually enter them into their browsers, thus evading detection by security tools (BleepingComputer).

Use of Phishing Sites and Malware Delivery

FIN6’s phishing strategy involves directing recruiters to external websites that host malware. These sites are cleverly disguised as portfolio pages or resume sites, making them appear legitimate. The domains used in these campaigns are registered anonymously through services like GoDaddy and are hosted on trusted platforms such as Amazon Web Services (AWS). This choice of hosting provider is strategic, as AWS is a reputable cloud service that is less likely to be flagged by security systems. Some of the domains used in these attacks include bobbyweisman[.]com, emersonkelly[.]com, and davidlesnick[.]com. Once the recruiter visits these sites, malware is delivered to their systems, providing FIN6 with backdoor access (DomainTools).

Exploitation of Trusted Platforms

A key aspect of FIN6’s social engineering tactics is their exploitation of trusted platforms to host malicious content. By using AWS to host their phishing sites, they leverage the inherent trust that organizations place in such well-known and widely used cloud services. This trust reduces the likelihood of immediate suspicion or blocking by security tools, allowing the malware to be delivered more effectively. This tactic underscores the importance of not only relying on the reputation of hosting services but also implementing robust security measures to detect and mitigate threats (Proofpoint).

Advanced Evasion Techniques

Imagine a magician performing a trick where the audience is so focused on the left hand that they miss the sleight of hand happening with the right. FIN6 employs similar advanced evasion techniques to bypass security measures and ensure the success of their campaigns. One such technique involves the use of non-clickable URLs in phishing emails. By requiring recipients to manually enter these URLs into their browsers, FIN6 circumvents automatic detection and blocking mechanisms that are typically triggered by clickable links. Additionally, the use of professionally crafted emails that mimic legitimate job applications helps to lower the guard of the recipients, making them less likely to suspect malicious intent. This combination of tactics highlights the sophistication of FIN6’s social engineering efforts and the need for heightened vigilance among recruiters and HR professionals (Trend Micro).

Recommendations for Mitigation

To counter the threat posed by FIN6’s social engineering tactics, organizations should implement a multi-layered security approach. This includes educating employees, particularly those in recruiting and HR functions, about the risks of phishing attacks and the importance of verifying the authenticity of job applications. Organizations should also consider implementing advanced email filtering solutions that can detect and block suspicious emails before they reach the intended recipient. Additionally, verifying the identity of job applicants through independent channels, such as contacting references or previous employers, can help to prevent successful infiltration by attackers posing as job seekers. By adopting these measures, organizations can better protect themselves against the sophisticated tactics employed by FIN6 (Clipeus Intelligence).

Final Thoughts

The sophisticated social engineering tactics employed by FIN6 highlight the evolving nature of cyber threats. By exploiting trusted platforms and employing advanced evasion techniques, they effectively bypass traditional security measures. Organizations must adopt a multi-layered security approach, including educating employees and implementing advanced email filtering solutions, to mitigate these threats. The importance of verifying the authenticity of job applications cannot be overstated, as it serves as a critical line of defense against such sophisticated attacks (Proofpoint, Trend Micro).

References

Related Articles