Brits have been hit hardest by North Korean LinkedIn hackers in wave of fake job scams.
The Lazarus Group, which notoriously hacked Sony Pictures in 2014, was found to be ratcheting up its efforts to steal cryptocurrency in May, when a South Korean cyber-security firm raised the alarm.
In their latest scam, they have targeted Britons, with a new report showing that the UK is in the top three countries accessing an infected link, behind only the US and China.
Overall, the hackers are very profitable for North Korea and are estimated to be generating hundreds of millions of pounds for the secretive state.
The latest scam targets people using the networking website LinkedIn, promising them a dream job and inducing them to open an dodgy document about the role.
Finnish cyber-security firm F-Secure said the attacks had all the hallmarks of Kim Jong-un’s hackers.
Matt Lawrence, director of detection and response, said: “Our research found that this attack bears a number of similarities with known Lazarus Group activity.
“So we’re confident they were behind the incident.
“The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important.
“Companies can use our report to familiarise themselves with this incident, the tactics, techniques, and procedures used, and Lazarus Group in general, to help protect themselves from future attacks.”
In one image showing the malicious document sent to victims, information about the so-called job is obscured by a blue-screen.
The screen is supposedly there because of the EU’s General Data Protection Regulation (GDPR) law, and can only be removed by the victim clicking an “enable content” button.
Once pressed, however, the button accesses the infected link, giving the hackers access to their victim’s computer.
And to make matters worse, F-Secure found that hackers were adept at covering their tracks, deleting evidence including any traces of the malware they used after it had served its purposes.
Overall, the report found that the infected link had been accessed 73 times from around the world, including 32 times from the USA, 10 times from China and five times from the UK.
When the document was checked using VirusTotal, an online database that records different cyber threats, it was found to have been flagged up as harmful by 34 antivirus companies.
Previous versions of the current scam have seen dodgy documents disguised as a coronavirus briefing, paperwork for the hire of a US aerospace company and software development contracts.
The scale of the Lazarus Group’s illegal activities is such that North Korean hacker Park Jin Hyok is now wanted by the FBI.
They’ve targeted banks around the world in a bid to steal cash, as well as hacking Sony in 2014 as revenge for the planned-release of The Interview, a comedy about assassinating Kim Jong-un.
A US government report named Lazarus as one of three groups that stole $571m (£463m) of cryptocurrency from five Asian exchanges between January 2017 and September 2018.