This post is about LinkedIn – a go-to professional networking and jobs platform – a feature that allows outside individuals (not belonging to the target organisation) to post jobs on an organisation’s behalf. Whether you call it posting scam jobs on LinkedIn, phishing the LinkedIn users or any wider campaigns based on the drivers – it is a recipe for Identity fraud.
This issue is not part of our penetration testing or any zero-day finds.
We came across this situation a few days ago and now sharing it with our readers. To avoid any confusion, please note that:
- This issue doesn’t impact assets owned by an organisation directly.
- This issue affects the majority of employers choosing to post jobs via LinkedIn. Only a handful of employers were found to have restrictions in place.
- This is not a zero-day vulnerability.
Issue Background
As we all know – LinkedIn allows adding job adverts by employers for hiring purposes. In this case, we checked that it is possible to post a job on behalf of another business without the platform prompting for any verification or authorisation. For instance, anyone can post a job on almost any company’s LinkedIn page and it appears as if it’s a job advertised by the affected company.
Feature or faux pas?
To check if it is actually the case – we used an account that is not associated with our business and we were able to add a job post. The following screenshot shows the job preview before job post goes live:
The following screenshot shows a live job post that is open to accepting applications including external (outside LinkedIn applicants).
Based on the option selected by the employer, LinkedIn asks the job poster to submit an email address or external website to collect the applicant’s CV. A handful of companies were identified to have restrictions in place, these include Microsoft (worthwhile investment saving themselves here!), Facebook, Apple, Amazon, etc top names only. In this case, LinkedIn displayed an error such as the following:
Implications
It is unclear if this has been misused by threat actors to launch any attacks, but it would be no surprise because it’s a clever technique to trap job applicants to submit useful information. There are various job scams around LinkedIn and it could be another addition to their arsenal if relevant measures aren’t reviewed.
During the job posting, LinkedIn asks employers whether to receive applications by email or directly at a third-party website address. In a threat scenario, a third-party website controlled by attackers could be used as a hotbed for Identity frauds – harvesting user information asked during job verifications. It could be documents containing personally identifiable information (PII), or sensitive data as per GDPR compliance.
It might be possible to attack current employees of an organisation encouraging them to apply for internal transfers by emailing links.
Mitigation
Although there is no toggle button to disable this for companies, there are measures that businesses can follow to minimise the impact in case of an event.
Reach out to your HR and communication teams to ensure they are aware of the issue and check company pages for any such activities. As soon as any bogus postings are identified, report them to LinkedIn – agreed it is not a fast workaround.
You can email the LinkedIn trust and safety team to block unauthorised requests or allow specific members to post jobs on behalf of their business, just like the user management feature on the LinkedIn company page.
[email protected]
We helped bleepingcomputer cover this issue in detail here who had asked LinkedIn for their comments. LinkedIn concluded “Posting fake content, misinformation and fraudulent jobs are clear violations of our terms of service. Before jobs are posted, we use automated and manual defences to detect and address fake accounts or suspected fraud.”. Contrary to such claims, it is possible to post bogus jobs as we found out during our tests.
For information – we closed jobs immediately after successfully finding out it is possible to post the jobs. No further activities such as receiving CV’s or any applications was performed.
Until we hear anything new about this issue from LinkedIn, please take a look at this useful article on reporting jobs on LinkedIn on avoiding job scams.
Get in touch to discuss this issue, your security concerns or our security services.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.
