The code and data behind xeiaso.net
5
fork

Configure Feed

Select the types of activity you want to include in your feed.

Spearphishing

Signed-off-by: Xe Iaso <me@christine.website>

Xe Iaso 18ae8a01 04151593

+68
+68
blog/spearphishing.markdown
··· 1 + --- 2 + title: "Spearphishing: it can happen to you too" 3 + date: 2022-07-09 4 + tags: 5 + - linkedin 6 + - infosec 7 + --- 8 + 9 + <xeblog-hero file="the-fool" prompt="The Fool in a woodcut tarot card style"></xeblog-hero> 10 + 11 + For some reason, LinkedIn has become the de-facto social network for 12 + professionals. It is viewed as a powerful networking and marketing site that 13 + lets professionals communicate, find new opportunities and source talent at 14 + eye-watering speed and rates. However, at the same time this also means that 15 + LinkedIn becomes a treasure trove of data to enable spearphising attacks. 16 + 17 + Let's consider [this attack against popular "play to earn" game Axie 18 + Infinity](https://www.theblock.co/post/156038/how-a-fake-job-offer-took-down-the-worlds-most-popular-crypto-game). 19 + The attackers had PDF based malware that allowed them to get access to a target 20 + computer, so they needed someone to open a PDF to trigger the exploit chain that 21 + let them gain a foothold. But they specifically wanted people that likely had 22 + access to the crypto wallets that enable control of the blockchain. LinkedIn let 23 + them filter by employees at the company behind Axie Infinity that were 24 + developers and likely started spearphishing by role and seniority. The details 25 + of the attack spell out that the attackers had set up a whole fake interview 26 + process to convince the marks that the process was legitimate and they put the 27 + malware in the offer letter. The attackers later gained access to the validator 28 + wallets and then they were able to make off with over half a billion dollars 29 + worth of cryptocurrency. 30 + 31 + <xeblog-conv name="Numa" mood="delet">Maybe, just maybe you shouldn't store a 32 + majority of the keys required to validate something on _the same computer_. 33 + Especially if those keypairs control assets worth close to _half a billion 34 + dollars_. Holy heck.</xeblog-conv> 35 + 36 + The malware was in the offer letter. This is the kind of social engineering 37 + attack that I bet any one of you reading this article could fall for. Hell, I'd 38 + probably fall for this. This may be the wrong kind of take to have, but I'm 39 + really starting to wonder if using LinkedIn so much is actually bad for 40 + security. It's not just recruiters reading through LinkedIn anymore, it's also 41 + threat actors that are trying to break in and do God knows what. Maybe we as an 42 + industry should stop feeding all of that data into LinkedIn. Not only would it 43 + give you less recruiter spam, maybe it'll make spearphishing attacks more 44 + difficult too. 45 + 46 + <xeblog-conv name="Cadey" mood="coffee">Also, yes we can't trust PDFs anymore, 47 + especially after exploits like 48 + [FORCEDENTRY](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html) 49 + became a thing.</xeblog-conv> 50 + 51 + Either way, I may end up getting a disposable machine for dealing with reading 52 + PDFs from unknown sources in the future. I could use a virtual machine for this, 53 + but if my threat model includes PDFs having exploits in them then I probably 54 + can't trust a virtual machine to be a reasonable security barrier. I don't know. 55 + It sucks that we can't trust people anymore. 56 + 57 + I kinda wish we could. 58 + 59 + --- 60 + 61 + <xeblog-conv name="Mara" mood="hacker">Fun fact: the tarot card "The Fool" 62 + doesn't actually imply idiocy in a malicious way. The major arcana of the tarot 63 + is a bunch of memes that describe the story of The Fool's journey through magick 64 + and learning how the world works. The Fool is not an idiot, The Fool is just 65 + someone that is unaware of the difficulties they are going to face in life and 66 + treats things optimistically. Think a free spirit as opposed to someone that is 67 + foolhardy (though foolhardiness is the meaning of The Fool when the card is 68 + inverted).</xeblog-conv>