Spearphishing

Signed-off-by: Xe Iaso <me@christine.website>

blog/spearphishing.markdown

@@ -0,0 +1,68 @@
+---
+title: "Spearphishing: it can happen to you too"
+date: 2022-07-09
+tags:
+ - linkedin
+ - infosec
+---
+
+<xeblog-hero file="the-fool" prompt="The Fool in a woodcut tarot card style"></xeblog-hero>
+
+For some reason, LinkedIn has become the de-facto social network for
+professionals. It is viewed as a powerful networking and marketing site that
+lets professionals communicate, find new opportunities and source talent at
+eye-watering speed and rates. However, at the same time this also means that
+LinkedIn becomes a treasure trove of data to enable spearphising attacks.
+
+Let's consider [this attack against popular "play to earn" game Axie
+Infinity](https://www.theblock.co/post/156038/how-a-fake-job-offer-took-down-the-worlds-most-popular-crypto-game).
+The attackers had PDF based malware that allowed them to get access to a target
+computer, so they needed someone to open a PDF to trigger the exploit chain that
+let them gain a foothold. But they specifically wanted people that likely had
+access to the crypto wallets that enable control of the blockchain. LinkedIn let
+them filter by employees at the company behind Axie Infinity that were
+developers and likely started spearphishing by role and seniority. The details
+of the attack spell out that the attackers had set up a whole fake interview
+process to convince the marks that the process was legitimate and they put the
+malware in the offer letter. The attackers later gained access to the validator
+wallets and then they were able to make off with over half a billion dollars
+worth of cryptocurrency.
+
+<xeblog-conv name="Numa" mood="delet">Maybe, just maybe you shouldn't store a
+majority of the keys required to validate something on _the same computer_.
+Especially if those keypairs control assets worth close to _half a billion
+dollars_. Holy heck.</xeblog-conv>
+
+The malware was in the offer letter. This is the kind of social engineering
+attack that I bet any one of you reading this article could fall for. Hell, I'd
+probably fall for this. This may be the wrong kind of take to have, but I'm
+really starting to wonder if using LinkedIn so much is actually bad for
+security. It's not just recruiters reading through LinkedIn anymore, it's also
+threat actors that are trying to break in and do God knows what. Maybe we as an
+industry should stop feeding all of that data into LinkedIn. Not only would it
+give you less recruiter spam, maybe it'll make spearphishing attacks more
+difficult too.
+
+<xeblog-conv name="Cadey" mood="coffee">Also, yes we can't trust PDFs anymore,
+especially after exploits like
+[FORCEDENTRY](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html)
+became a thing.</xeblog-conv>
+
+Either way, I may end up getting a disposable machine for dealing with reading
+PDFs from unknown sources in the future. I could use a virtual machine for this,
+but if my threat model includes PDFs having exploits in them then I probably
+can't trust a virtual machine to be a reasonable security barrier. I don't know.
+It sucks that we can't trust people anymore.
+
+I kinda wish we could.
+
+---
+
+<xeblog-conv name="Mara" mood="hacker">Fun fact: the tarot card "The Fool"
+doesn't actually imply idiocy in a malicious way. The major arcana of the tarot
+is a bunch of memes that describe the story of The Fool's journey through magick
+and learning how the world works. The Fool is not an idiot, The Fool is just
+someone that is unaware of the difficulties they are going to face in life and
+treats things optimistically. Think a free spirit as opposed to someone that is
+foolhardy (though foolhardiness is the meaning of The Fool when the card is
+inverted).</xeblog-conv>