Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer.
“This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors,” Trustwave SpiderLabs said in a report shared with The Hacker News.
Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.
The threat actors use a weaponized PDF file that redirects users to multiple sites to ultimately install the malware. This happens without the user being aware of what is happening to them.
It’s worth noting at this stage that a near-identical infection chain was recently disclosed by Trend Micro as having put to use by threat actors to drop another stealer called Phemedrone Stealer by exploiting the Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8).
According to ProPublica, “It has become a ubiquitous internet ad, with versions popping up everywhere from Facebook and LinkedIn to smaller sites like Jobvertise: Airport shuttle driver wanted, it says, offering a job that involves picking up passengers for 35 hours a week at an appealing weekly pay rate that works out to more than $100,000 a year.”
“These fraudsters, they’re like a virus. They continue to mutate,” said Haywood Talcove, chief executive of the government division of LexisNexis Risk Solutions, one of several contractors helping state and federal agencies combat identity theft. Stated by ProPublica.
What can be done?
We have some recommendations that would help against these exploitations.
- Verification of Job Listings: Job seekers should verify the legitimacy of job listings by researching the company and contacting them directly through official channels (website, phone number) rather than through the contact information provided in the ad.
- Use of Trusted Platforms: Job seekers should use trusted job search platforms and websites with verified listings to reduce the risk of encountering fake job ads.
- Report Suspected Scams: Individuals who come across suspected fake job ads should report them to the platform or website where they found the ad, as well as to relevant authorities such as consumer protection agencies or law enforcement.
Here are some recommendations for job sites and employers.
- Regular Updates and Patches: Job platforms and websites should regularly update their systems and apply security patches to address vulnerabilities that could be exploited by scammers.
- User Training: Employers should provide training to their employees on how to identify and report phishing attempts, including fake job ads aimed at stealing credentials.
- Security Measures: Employers and job platforms should implement security measures such as multi-factor authentication, HTTPS encryption, and email verification to protect user credentials.
Sources:
- “Beware: Fake Facebook Job Ads Spreading ‘Ov3r_Stealer’ to Steal Crypto and Credentials“, Feb 6 2024, https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html
- “Scammers Are Using Fake Job Ads to Steal People’s Identities”, by Cezary Podkul, Oct 26 2021, https://www.propublica.org/article/scammers-are-using-fake-job-ads-to-steal-peoples-identities