···11+---
22+title: "Spearphishing: it can happen to you too"
33+date: 2022-07-09
44+tags:
55+ - linkedin
66+ - infosec
77+---
88+99+<xeblog-hero file="the-fool" prompt="The Fool in a woodcut tarot card style"></xeblog-hero>
1010+1111+For some reason, LinkedIn has become the de-facto social network for
1212+professionals. It is viewed as a powerful networking and marketing site that
1313+lets professionals communicate, find new opportunities and source talent at
1414+eye-watering speed and rates. However, at the same time this also means that
1515+LinkedIn becomes a treasure trove of data to enable spearphising attacks.
1616+1717+Let's consider [this attack against popular "play to earn" game Axie
1818+Infinity](https://www.theblock.co/post/156038/how-a-fake-job-offer-took-down-the-worlds-most-popular-crypto-game).
1919+The attackers had PDF based malware that allowed them to get access to a target
2020+computer, so they needed someone to open a PDF to trigger the exploit chain that
2121+let them gain a foothold. But they specifically wanted people that likely had
2222+access to the crypto wallets that enable control of the blockchain. LinkedIn let
2323+them filter by employees at the company behind Axie Infinity that were
2424+developers and likely started spearphishing by role and seniority. The details
2525+of the attack spell out that the attackers had set up a whole fake interview
2626+process to convince the marks that the process was legitimate and they put the
2727+malware in the offer letter. The attackers later gained access to the validator
2828+wallets and then they were able to make off with over half a billion dollars
2929+worth of cryptocurrency.
3030+3131+<xeblog-conv name="Numa" mood="delet">Maybe, just maybe you shouldn't store a
3232+majority of the keys required to validate something on _the same computer_.
3333+Especially if those keypairs control assets worth close to _half a billion
3434+dollars_. Holy heck.</xeblog-conv>
3535+3636+The malware was in the offer letter. This is the kind of social engineering
3737+attack that I bet any one of you reading this article could fall for. Hell, I'd
3838+probably fall for this. This may be the wrong kind of take to have, but I'm
3939+really starting to wonder if using LinkedIn so much is actually bad for
4040+security. It's not just recruiters reading through LinkedIn anymore, it's also
4141+threat actors that are trying to break in and do God knows what. Maybe we as an
4242+industry should stop feeding all of that data into LinkedIn. Not only would it
4343+give you less recruiter spam, maybe it'll make spearphishing attacks more
4444+difficult too.
4545+4646+<xeblog-conv name="Cadey" mood="coffee">Also, yes we can't trust PDFs anymore,
4747+especially after exploits like
4848+[FORCEDENTRY](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html)
4949+became a thing.</xeblog-conv>
5050+5151+Either way, I may end up getting a disposable machine for dealing with reading
5252+PDFs from unknown sources in the future. I could use a virtual machine for this,
5353+but if my threat model includes PDFs having exploits in them then I probably
5454+can't trust a virtual machine to be a reasonable security barrier. I don't know.
5555+It sucks that we can't trust people anymore.
5656+5757+I kinda wish we could.
5858+5959+---
6060+6161+<xeblog-conv name="Mara" mood="hacker">Fun fact: the tarot card "The Fool"
6262+doesn't actually imply idiocy in a malicious way. The major arcana of the tarot
6363+is a bunch of memes that describe the story of The Fool's journey through magick
6464+and learning how the world works. The Fool is not an idiot, The Fool is just
6565+someone that is unaware of the difficulties they are going to face in life and
6666+treats things optimistically. Think a free spirit as opposed to someone that is
6767+foolhardy (though foolhardiness is the meaning of The Fool when the card is
6868+inverted).</xeblog-conv>