Phishing Campaign Targets Job Seekers, Employers
Anti-Phishing, DMARC , Email Security & Protection , Fraud Management & Cybercrime
Attackers Exploit Economic Downturn by Deploying Malware in Resumes, ID Attachments Prajeet Nair (@prajeetspeaks) • March 4, 2023
Threat actors are exploiting the ongoing economic downturn using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.
See Also: OnDemand | Navigating the Difficulties of Patching OT
The phishing campaigns target job seekers by sending emails that purport to belong to a recruitment agency, asking them to provide personal information or login credentials. The malware campaign attempts to drop prominent malware like AgentTesla, Emotet, Cryxos Trojans and Nemucod on victims’ devices.
“These emails look legitimate but are designed to steal sensitive information such as passwords or financial information. The malware can then be used to steal sensitive information or to gain unauthorized access to the job seeker’s device and the information stored on it,” according to a report from cybersecurity firm Trellix.
Trellix researchers also observed that attackers are posing as job seekers to target employers. Attackers would send especially crafted emails delivering malware through attachments or URLs that are disguised as applicant resumes or identification documents.
“This type of attack is becoming increasingly common as cybercriminals take advantage of the high volume of job applications that employers receive,” says Daksh Kapur, research scientist at Trellix. “The goal of these attacks is to gain unauthorized access to sensitive information, steal personal data and disrupt the operation of the organization. We have also observed APT groups leveraging job-themed emails to deliver malware.”
Attackers also are using fake or stolen documents such as Social Security numbers and driver’s licenses to make emails look legitimate and increase the credibility of the email, “making it more likely that the recipient will fall for the scam,” Kapur says.
Cybercriminals and state-sponsored groups are creating typo-squatting domains of popular job websites to target job seekers, Kapur says. Typo squatting is a social engineering attack, where attackers use misspelled domains for malicious purposes.
“These domains are like the legitimate websites, but with slight variations such as misspelled words or different extensions,” Kapur says.
These domains trick job seekers into thinking they are applying for a job through a legitimate website, when in fact they are providing their sensitive information to cybercriminals.
Additionally, Kapur says that they have observed an increase in registration of new typo-squatted domains for jobs-related domains such as LinkedIn, Indeed and others. Some of the examples of typo-squatting domains observed by Trellix are indeed-id.com; indeed-7.com; indeed-a.com; indeed.ch; indedd.com; linkhedin.com; linkegin.com and linkednn.com.
More than 70 percent of the job-related cyberattackers are targeting the United States, Trellix report says. Other countries include Japan, Ireland, United Kingdom, Sweden, Peru, India, Philippines and Germany.
“It is crucial for both job seekers and employers to be aware of this new threat and take precautions to protect their personal and financial information,” Kapur says. “The best defense against such phishing attacks is to exercise caution when receiving emails from unfamiliar sources, especially those containing links or attachments.”
Researchers at cybersecurity firm ClearSky had previously said that an Iranian APT group, dubbed Siamesekitten, was targeting Israeli companies in a supply chain attack campaign. Attackers are luring victims with fake job offer emails that direct recipients to websites that download malware (see: Iranian Group Targets Israeli Firms).
The campaign, dubbed DreamJob, is based on a fake LinkedIn profile that purports to belong to a job recruiter from a prominent defense firm. Researchers say fraudsters likely spent months creating the profile and interacting with the victims (see: North Korean Hackers Wage Job-Themed Spear-Phishing Attacks).