HOW MY LINKEDIN GOT HACKED THROUGH A PDF FILE AND HOW I RECOVERED IT.

It was the 1st of September, 2:41 am, I was just winding down after a long day of work, the #cryptomeetuplagos was just 8 days away and preparations were in full swing and sleep was short….then I got a message from a friend saying, “You have been hacked”.

I? never would have believed it because I was just online some 5 -10mins ago plus I have the latest version of the Mcafee antivirus paid for and running on my PC. His message came with a screenshot of me chatting to one of my connections posing as a Kraken Staff scouting for new employees. I got up quickly like? a soldier who had just been ambushed in the middle of the night and I immediately started to trace the suspicious activities in an attempt to control the damage being done to my account and reputation.

I logged in hoping the hacker had not changed my profile email and password assuming total control of my LinkedIn account. I’?

At that moment I kept thinking how someone got my password as I never shared it with anyone.

WHAT DID I DO?

Even though I’m not a cyber security expert I know some basic security tips;

1. First, I quickly changed all my passwords, most importantly my email password as it's closely related to most online accounts/activities.
2. Then, I cleared my browser cache and cookies.
3. I even deleted my Google Chrome and switched to Microsoft Edge browser just to feel safer.
4. I never used a password manager before, but with the current situation it was high time I thought. So, I downloaded True Key by McAfee.?
5. I set up 2FA (Two Factor Authentication) on all social media accounts.
6. I ran a full PC scan with my upgraded McAfee Antivirus (The results would come clean).
7. Afterwards, I would send a message to my connections and anyone that was messaged/affected during the security breach on my account to apologize for any trouble.

After I did all these I then wrote a report and submitted my ID to LinkedIn for verification because my account was put on a temporary restriction shortly after all these activities, seemingly because of the sudden security steps I was taking. Either that or someone had reported my impersonator earlier.?

It took exactly six days for the restriction on my LinkedIn account to be lifted

I am finally free from this hack. Or so I thought.

THE HACKER RETURNS?

2nd October, the hacker would make his way back but this time I would be waiting on LinkedIn to witness how he operates.?

At the same hour as the previous hack that happened on the 1st of September, I would receive a message reply from a connection on LinkedIn. I wondered why because I was not expecting any messages from anyone.?

As I was just about to go through the conversation the chat box disappeared before my very eyes. I was on high alert again and I began to investigate there and then. Another message would come in again and disappear and I would immediately discover it in my archived messages.?

Archiving my messages!? This was a very smart move by the hacker. If you are very familiar with messaging apps, you know what this does; It completely relocates messages from your main inbox to a separate folder usually named “Archive"

Messages in this folder don’t get notifications and are not displayed by default while on the LinkedIn homepage making it almost impossible for anyone to detect the malicious activities happening behind the scenes.

WHAT I DID THIS TIME AROUND

So, it's obvious the basic security steps I took earlier had zero effect on this hack.

This time around, I didn’t panic much. I only had 3 actions/steps in mind;

• I Hibernated my account immediately: This temporarily disables your account, It's similar to having your account under restriction. The major difference is you can log back in whenever you want after a few security steps.

Note: if you have any running subscription, it goes away with the hibernation.

• I wrote a brief complaint/report of the situation to LinkedIn

• And I resolved within myself to get rid of the virus/hacker completely by any means (Google and deep online research). Formatting/reinstalling my OS was the last resort.
• Meanwhile, I backed up all important files on my cloud storage just in case I had to reinstall my operating system.

THE HACKER'S ORIGIN

With my most recent knowledge of the hackers' MO, I began to understand even more which led me to discover how and when the hack started….

I had already gone through the messages the hacker sent earlier to a few of my connections just before I hibernated my account. In some of the messages he/she sent there was a PDF attachment to it.

Apparently what this hacker does is pose as a job recruiter for any reputable crypto firm and then start hunting for his employees(Victims). His first and best target choices are your connections because it will be easy to capitalize on the trust already built between your 1st-degree connections. The hacker's sole aim here is to get as many people as possible to click and open his attachment or link.

Realizing this my mind quickly flashed back to 2 weeks before the first hack, mid-August, I received a PDF proposal via telegram chat from someone who claimed to be with Coinbase's BD team. I’m an admin in WOO Network Nigeria and at the time preparations for the #Cryptomeetuplagos event were still hot. I was also going across a lot of partnership proposals at the time, so I didn’t hesitate much while opening the hackers' PDF. I had my doubts but I also believed my up-to-date antivirus would alert me of any malicious file/attachment.

Opening the attachment I would find a bunch of crap not in any way relating to what the hacker claims it is.?It was just a long list of different Engineering job roles and descriptions.?

I asked the so-called Coinbase representative to cross-check, maybe he sent the wrong document, and he would then suddenly stop replying instantly.?

He said, “Go through the proposal and pick one”.?Pick what? I don’t understand, can you check the document you sent, maybe there is a mix-up, I asked. He took longer to respond this time and he would then say again, “After going through it let me know the one you choose”.?

It was then I realized I could be dealing with a scammer and a dangerous file, He may just be stalling to set up his virus. Immediately, I blocked the chat and I deleted the PDF (I even took extra steps to shred it with my up-to-date antivirus) and ran a full antivirus scan on my PC and the results would come back clean.

My mind was already at ease after deleting and shredding the PDF file and also doing a full antivirus scan on my PC. Little did I know the PDF file was just the trojan horse visible to me, in the background the secret viral program which was inside the PDF (trojan horse) had already been deployed.

Unknown to me the virus had found a new home.

BREAKING DOWN THE VIRUS

After I had resolved to get rid of the virus/hacker completely, I began deep online research with our friendly Google.

I was able to identify the virus name and type. This was a Trojan virus. You may identify it with the following aliases: Trojan.PDF.Scam[ variant] and Scam.[ variant]

A trojan virus is a file or a computer program which appears to be harmless and desirable, but secretly carries out actions that are harmful to your PC and data privacy. Just like the wooden horse in Greek mythology, a trojan is designed to be deceptive. The authors go as far as using the same icons, designs, fonts and colours of legitimate programs to make it look authentic.?

When the harmful code in the Trojan virus is run:

• It can download and install the malicious program contained in the file?onto your device.
• It can also contact and connect with a remote server which automatically has access to install malicious programs and control even your PC.

‘This perfectly explains why changing my password and using 2FA on the LinkedIn account didn’t prevent the hacker from operating (He simply didn’t need to login on to another device, he already had access)’

If a trojan accidentally makes its way into your PC, it will be very hard for you to realize they are carrying out harmful actions, they are usually well disguised to prevent your computer from triggering any notification messages that could raise the users' suspicion.

The specific malicious or harmful program installed on any device varies and may be detected separately by different security products, my McAfee antivirus assisted in proving it.

ELIMINATING THE HACKERS' TROJAN HORSE

After much research and investigation online using Google and also Microsoft Forums. I would finally discover a way to unmask and get rid of the virus.

So here is what I did;

I downloaded?Autoruns for windows

Autoruns is a system utility that shows you all the programs (including background programs) that run during your PC’s startup and it enables you to disable those that are suspicious or malicious.

I went over to my Services and Drivers Tab. According to research, this is where any malicious program would be operating from but you could also go through all other 19 tabs just to be sure. Here, I found three suspicious files that were disguised as Adobe PDF viewer. One had the Adobe logo but was highlighted in red, one had the description “remote.trojan.pdf”( this must be how the hacker sneaks into my computer) and the date of installation matched the date I was first contacted by the fake Coinbase representative.?

I immediately disabled them by unchecking the boxes associated with the files. Suspicious files could be highlighted in red or yellow.?

I was offline/disconnected from the internet during this whole process to prevent any further transmission between the Trojan and the Hacker and the image above was taken after I had disabled the malicious files. I didn't have time to take an actual image of it because I had to act fast and also, I had no idea?I'd be writing an article about it.

KEY TAKEAWAYS

Moving forward, ever since the?Trojan Virus?got disabled, I have never experienced any strange activities.

I always;

• Disconnect my PC from the Internet when it's not in use. This is to prevent anyone or software from attempting to make a connection to my PC
• Use high-level passwords that are not easy to decrypt and I regularly change them. You can try using a password manager (I use McAfee's?True Key. I hope it's stronger than the Antivirus…haha;).
• Use 2FA (Two Factor Authentication) across all my social media accounts
• Inspect my inbox and especially my archived messages for any suspicious activity
• Delete and block any messages containing any potentially malicious file or document. If I would receive any document I would opt for a google doc
• Backup important files regularly on my PC just in case
• Use my?Autoruns app?to check for, and disable any unwanted or suspicious programs running in the background
• Make sure the software on my PC is up to date and all security patches are installed
• Conduct a full antivirus scan, regardless.

I hope this helps anyone else who may have clicked a suspicious link recently or in the past. Even if it seems everything is fine after that, I urge you to re-conduct a security check now. Also, have in mind that Malicious files or links could also come as; Emails, SMS text messages, social media posts, mobile app messages and even Google calendar invites.

If you are a trader reading this and you need an exchange with a high-security level you are welcome to try out?WOO X. I don’t care if you use my ref code(WHNUC3N0), I care about you trading safely and securely. Stay SAFU.