This vulnerability can be exploited by con artists for massive phishing attacks, identity theft, and employment-related scams.
Security-related controversies are not new for LinkedIn. Here's
the latest one, which was discovered by a cybersecurity firm, The Cyphere, in Aug 2021. As per the company's report, anyone can post jobs on behalf of any company they want, without the consent or knowledge of the original company!
This means hackers can post jobs impersonating a reputed company and invite the job applications, receiving thousands of CVs on the fake email address, or redirect candidates to a malicious or phishing website!
Here’s how it works.
Image source: TheCyphere
Once the job is posted, even the original company’s super admin
can’t do anything about it!
The Cyphere reached to BleepingComputer to reconfirm their claims. After verifying the claims to be credible, BleepingComputer contacted LinkedIn for their comments.
Here’s a vague reply they received from LinkedIn.
"Posting fake content, misinformation and fraudulent jobs are clear violations of our terms of service. Before jobs are posted, we use automated and manual defenses to detect and address fake accounts or suspected fraud."
However, the shreds of evidence TheCyphere’s researchers found prove contradictory. LinkedIn didn't do anything further to tackle the issue. That means, the vulnerability still exists and can be exploited by anyone having a LinkedIn account.
So, here’s the point where the matter takes a dangerous turn.
LinkedIn gives two options to the job posters. They can either receive the CVs via emails or redirect applicants to a third-party website, which ideally
should be the company's career page. Hackers can exploit this vulnerability in three ways.
Note: We don't have any information on whether anyone has exploited this vulnerability yet or are there any victims for the same. But it is just a matter of time before hackers learn about this weakness and misuse it in the following ways:
1) Data theft
Scammers can easily collect applicants' personally identifiable information (PII) such as name, email address, phone number, employment history, and even physical address from the resume. They can sell this data on the darknet, or misuse it for identity theft-related crimes.
2) Phishing Attacks
The con artists pretend to be representatives of a legit company and ask candidates further sensitive information such as bank account numbers to credit the salary, or SSN, and other confidential information for tax purposes. They can also run common employment-related scams such as asking applicants to transfer money for conducting a background check, processing the application, or receiving the training.
3) Malware Delivery
Attackers can send malware-laden files in the email attachments and label them as job description, terms and conditions, employment contract, interview schedule, etc. They can also redirect candidates to a malicious or spammy site that automatically downloads malware to the victim's device. In the worst-case scenario, hackers can make the cybersquatting site that looks exactly like the original site with a similar domain name, and trick applicants to share their credentials and other confidential documents.
By now, you must have an idea that anyone can post a job on behalf
of your company and invite applications without your knowledge. This can
significantly affect your business’s goodwill and create trust issues for
potential candidates.
Unfortunately, you can't do anything much about it - the ball is in
LinkedIn's court.
Until LinkedIn recognizes the danger and patches the issues, all you can do is to ask your human resource department to keep a keen eye on all the jobs posted in your company's name. If they recognize any job which is not posted by your company, immediately contact LinkedIn support to report a complaint. You can also report the fake job by following the steps mentioned in this guide.