If you're gonna have access to such amount of money, it's worth buying a dedicated machine and using it very, very cautiously.

I am listed as the Principal on a couple of companies, and get constant approaches that are obviously fake (like an attractive young "stewardess" from Dubai, who just happened to like my picture (which is actually my logo)).

I've given up reporting them, as LI always responds with "This is not in violation..."

My decision was cemented in 2020 when someone who didn't like a tweet of mine retweeted it to my old company's twitter account trying to get me fired/reprimanded (The tweet in question called out my local PD for a dubious tweet they made, the person who tried to get me in trouble lived in a different state 12+ hours away). Thankfully my current company wouldn't have cared but there is no need to give people ammo.

The PDF format presents many opportunities for other exploits, either obfuscating a payload or running code, but modern PDF viewers are locking these opportunities down to such a degree that they are not very reliable (most of all because it is difficult to know which PDF viewer your target will use, and many popular PDF viewers today like pdf.js are relatively feature-incomplete which is a significant security advantage in this case). It's possible that something more sophisticated was going on but I would be very surprised if it was anything more complex than using the PDF as an obfuscated transport for a binary packed in it and invoked by the user (e.g. by clicking a link in the PDF with a javascript target). Non-user-interaction PDF vulnerabilities exist but are increasingly hard to come by as there has been more than a decade of work on locking down PDF viewers and the situation has improved dramatically in that time.

Contrary to what people sometimes expect, highly organized groups (such as APTs) tend to stick to very basic, simple methods as much as possible, since they are relatively reliable. The use of recent vulnerabilities in a specific PDF viewer, for example, is high risk due to the likelihood of failure and the opportunities for analysis it presents (you will have to do custom development rather than using off-the-shelf tooling). This is the kind of thing that organized groups try to avoid as much as possible, subject to an ROI analysis. Or in other words, if putting a link to an EXE in a PDF still works, why would you bother with anything else?

In the "Web2 Sector", it would be very easy IMO to snuff out a fictitious company. I've gotten a handful of "offers" in the past and you can see straight through them, because the company doesn't exist in real life and you can't find any info on it, huge red flag.

The problem with the "Web3 Sector" IMO is you have a bunch of upcomming players in the space that no one has heard of. Just like investors in Cryto, if you're a developer in the space, no doubt you are jockeying to join a project that might land you a 7-10 figure windfall at the end.

So if an unheard of company approached me, I would tell them to kick rocks. If a similar company approached someone in the "Web3 Sector", they might take it thinking it's an emerging opportunity. I'm sure this still happens with Startups but my gut says it's really bad in the Web3 space.

When I was at lockheed we had an incident whereby a bunch of folks had attended some defense conference, and after the fact received emails from folks they had 'met' at the conference, something along the lines of

"Hey Bob, we met at the [defense] conference this last week and I wanted to be sure you had my contact info: malware-contact.vcf"

or some other payload.

This installed a very slow sprawling worm which would slowly trickle data out of lockheed to China.

It was not discovered for quite a while due to how slowly it operated, but someone had complained about machine performance and IT looked at the machine and discovered the worm... after removing it - this somehow sent a signal to China that they had been found and all the worms started to firehose as much as they could until egress was closed. At the time, all of Lockheeds 150,000 employees had just three egress points to the internet. They had to shut them all down to kill that worm.

It introduces the idea of "transitive trust" where person A might not know person B but if the two have a bunch of contacts in common, the odds of A trusting B goes up. When there's a profile with tens or hundreds of shared connections, it looks real by all accounts.

I wrote about this is an intel gathering/attack vector way back in the day but it's 100x better now because connecting is second nature and people trust more now: https://caseysoftware.com/blog/open-source-intelligence-link...

If you use your own device then do company work in a VM.

Agreed, I thought that opening a read-only PDF was GRAS regardless of the application.

I suppose they could add a phishing warning for messages sent on LinkedIn, but really it's an education problem, teaching people to identify what phishing emails look like and how to avoid them. This is a problem I've been working on since at least 2003, when we realized that the best way to prevent eBay account takeovers was teaching people what phishing is. We also identified that education is the hardest solution to achieve.

It's ironic that the security professionals are the ones hiding their identity, given that they are the best prepared to identify and avoid phishing emails.

on the other hand I bet you could collect some interesting things by creating a few fake people as linkedin honeypots at FAANGs, and I would be very surprised in their infosec/netsec teams aren't already doing this.

or getting real people who opt-in to have their linkedin profile receive incoming scams, virus, trojans, phish links and pipeline them into the infosec/netsec team.

People on LinkedIn, using a name sufficiently far enough away from their real name so as to not be able to be easily found, listing their security jobs with again, sufficiently far enough away org names.

Turtles all the way down.

They seemed to avoid contacting executives or senior staff… but instead targeted folks capable of maybe making the change they wanted, and maybe jr / low enough on the pole enough to panic and do it.

I’ve seen it happen three times now, pretty scummy IMO.

This is something I see/hear so often, people using work equipment/network to conduct their personal stuff. This, IMO, should not be allowed at all.

If pdf is compromised, is it fixed? This seems like the kind of vulnerability that would ruin pdf's reputation permanently. It was the safe alternative to sending someone a .doc particularly because of it's limited functionality.