On behalf of almost any firm, anyone may establish a job advertising on the leading recruitment network LinkedIn – no verification is required.
And worse, it can’t readily be taken down by the employer.
Now, this may not be new, but the feature and lax monitoring on career portals help attackers publish faulty postings for malevolent purposes.
For example, the attackers may use this social engineering approach to gather personal information and to collect resumes from professionals who feel they apply to a reputable organization, or they can sell or use their data for phishing scams without knowing.
We have openings!
Recently, a security expert revealed a ‘feature’ that he felt was quite worrisome.
“Anyone can publish a job using their LinkedIn account, attackers can even masquerade as a genuine firm and post vacancy as the firm. The worrisome part is that it seems just like a job that a legitimate company has posted.”
“I checked but stopped short of posting a job, but it goes well till the preview,” stated the researcher.
Although some may be aware of this “feature” previously, it could be a terrible finding for others.
“For example, if Google’s company page LinkedIn is vulnerable, an attacker can post a job as google and add some criteria to drive candidates to a new website to collect [personal data and credentials] and what are not common tactics of social engineering,” the investigative added.
Our internal researchers also tested this method and discovered the researcher’s findings to be accurate.
To perform this experiment, they created a fake eScan page and posted a job requirement. Within hours of doing so, resumes of candidates started to flood the job section.
Our researchers had also used LinkedIn’s “Easy Apply” feature to lead applicants to an external website for any resumes or documents to be uploaded by applicants to a test email account, as opposed to LinkedIn.
They discovered that unlike the redirection of the candidate to a “phishy” website, the use of a test e-mail account for the collection of personal information and resumes does not leave any indication of any dubious activity for the candidates or the employer.
Phishing scams and Fraud listings
In the past, this feature has been exploited and may become a hotbed for phishing attempts according to the investigator.
Although pen-testers and red teams can use the tool properly, he says that the same feature may be misused by threat actors to target people for different types of fraud and phishing scams.
Of course, job scams on LinkedIn are nothing new, those that have been reported up to now are mainly based on someone creating a fake profile and claiming to be a corporate “recruiter.”
On the other hand, this method allows anyone to build a worklist for nearly any company immediately, without even revealing their name.
Limit who can submit jobs as your organization
As an employer, what measures can you take to prevent unauthorized entities and actors of threats from exploiting your brand to create fake employment listings?
While LinkedIn released a blog article in 2019 that contains a few recommendations to recognize and prevent frequent employment frauds, the problem highlighted here is not addressed.
Our internal experts proved in our testing that even as the super-admin of your company page, you cannot take down a false job posting.
The administrator gets an error following the administrative link to the job posting via our official LinkedIn account:
Fortunately, companies may take certain efforts to prevent unwanted posts.
For instance, on behalf of certain businesses, like Google, we could not generate jobs:
By default, it is impossible for the LinkedIn corporate administrator to limit job lists of anyone, however, emailing the safety team of LinkedIn does the job:
The researcher who has disclosed this anomaly shared the team’s email address and said: “You can manually email the confidence and security Team to LinkedIn to get those settings enabled to restrict unauthorized posts, allowing only permitted team members to post work.”
Since Linkedin does not share this e-mail address online, you are exposed to this kind of attack unless you are fully aware that the Linkedin ‘feature’ exists and can be blocked.
The study also proposes that your hiring teams and HR teams monitor the LinkedIn sites of your organization often and report any misrepresentations on LinkedIn, albeit slower, as a workaround.
When an online tech publication reached out to Linkedin for more information on this –
“We work every day to safeguard our members and maintain our platform against fraud,” a spokesman for LinkedIn told the publication.
“When looking for a job, safety involves understanding the recruiter you talk to is who you say they are, how true and real the role is you are excited about, and how to detect fraud.”
“Clear infringements of our service policies include posting counterfeit content, misrepresentation, and fraudulent jobs. We will utilize automated and manual defenses before posting jobs to detect and tackle bogus accounts or suspected fraud.”
However, their automatic systems did not detect our researchers’ testing, contrary to the assertion.
“Whenever we find fake posts, we work to remove them quickly and we’re constantly investing in new ways to improve detection.”
“That includes providing tools for companies to require work email verification before posting to LinkedIn,” concluded the company in their statement.
LinkedIn users and businesses should submit suspected job advertisements as spam or scam for examination by LinkedIn until there has been a more permanent solution.
To read more, please check eScan Blog
