The financially motivated cybercrime group known as FIN6, or Skeleton Spider, has turned its focus on human resources professionals, executing an elaborate social engineering scheme characterized by fake job applications that deliver malware. This method was revealed in a recent report by cybersecurity firm DomainTools, highlighting a significant evolution in the tactics employed by cybercriminals.
According to the report, attackers actively impersonate job seekers on professional networks such as LinkedIn and Indeed, successfully building rapport with recruiters before deploying phishing emails containing malicious links disguised as resumes. This strategy capitalizes on the inherent trust that exists in the job application process to bypass standard security measures.
The report details that these attacks represent a significant escalation in social engineering tactics, marking a departure from traditional mass phishing campaigns. The targeted nature of these operations requires extensive reconnaissance, indicating a strategic shift by FIN6 towards securing high-value targets.
What distinguishes this campaign is the group’s sophisticated use of trusted cloud services, specifically Amazon Web Services (AWS), to obfuscate their malicious activities. By registering domains that mimic actual applicant personas, such as bobbyweisman.com and ryanberardi.com, and hosting them on AWS infrastructure, FIN6 is able to evade detection while maintaining a low profile.
Researchers from DomainTools noted that, “FIN6 hosts its phishing sites using trusted cloud infrastructure, including AWS.” They emphasized the appeal of cloud platforms due to the low cost and swift setup offered by services like EC2 and S3, which can often bypass enterprise network filters.
Despite being contacted for comment, AWS representatives declined to provide specifics but reiterated their commitment to enforcing compliance with their service terms. LinkedIn and Indeed did not respond to inquiries about the findings.
The phishing sites utilize advanced traffic filtering techniques to differentiate between genuine victims and security researchers, allowing only those using residential IP addresses to access the malicious content.
As FIN6 continues to adapt, their methods reflect a broader trend in the cybercrime landscape where traditional security strategies may fall short against such human-centric exploitation tactics. Experts warn that organizations must enhance their security posture by implementing comprehensive training for HR personnel and bolstering verification procedures for resume submissions.
The report concludes with a call for organizations to reinforce layered defenses and maintain heightened awareness of unusual digital behaviors that may indicate cyber compromise.