A sophisticated phishing campaign is targeting job seekers through fake recruitment emails, using global brands such as Red Bull to gain trust and deceive recipients. These are not explicit or misspelled emails like other forms of scamming, but rather professional-looking messages that appear from seemingly trustworthy addresses.

mail.png

In this case, the email is sent from post.xero.com domain, a real address belonging to the legal system, and bypasses all verification mechanisms such as SPF, DKIM and DMARC. This allows the system to filter messages that are not marked as suspicious and the content to easily appear in the user’s main inbox.

The email introduces a “Social Media Manager” position that works remotely with clear description, polite words, and reasonable context. The job positions in the fields of communication, social network, flexible working forms in accordance with the current recruitment trend, especially after the Covid-19 pandemic. It’s this familiar element that makes it easier for your email to get past the reader’s initial caution.

When the user clicks on the link in the message, they are taken through a reCAPTCHA page, which is then redirected to a Glassdoor emulated interface. The website is designed almost exactly the same as the original, from color to layout, making it very difficult for users to spot an unusual sign. After tapping the “Apply” button, the user is taken to a Facebook login page. Here, if you enter your login information, the data is not sent to Facebook but is sent directly to the attacker’s server without the user’s knowledge.

Behind the fake pages is a heavily deployed attack infrastructure. The domain name was recently registered, hosting it at AS-63023, an IP network that has been involved in many short-term attacks. A valid HTTPS certificate is issued via Let’s Encrypt, removing the usual security warning. The TLS fingerprint showed a match to other rogue sites that had targeted Meta and MrBeast users, indicating that this was an off-the-shelf scam kit, belonging to the phishing-as-a-service model, that anyone could deploy without too much skill.

In order to avoid becoming a victim of these types of scam campaigns, users should keep several important points in mind:

  • Don’t log into a personal account such as Facebook or Google via any link in your recruitment emails, unless you have verified the source clearly.
  • Double check the sender’s email address, especially the domain name, and compare it to the company’s official information
  • Look at the website’s domain name before entering any information. Unusual long domain names, strange phrases, or deviations from brand names are signs to watch out for.
  • Don’t be afraid to jump at a job offer that sounds too good to be true, especially if it’s coinciding with a sensitive time, such as when you’ve just sent your resume or are unemployed.
  • Search for employment information through your company’s official website instead of clicking the link in your email
  • If in doubt, stop and consult a trusted source such as a colleague, IT administrator or professional forum

Phishing attacks are no longer being massively randomized as they used to be, but are moving toward more specific, sophisticated targeting and much harder to detect. A job offer, if not well – vetted, can become an open door to identity theft and unauthorized access to personal or corporate systems.

When brand trust is taken advantage of, seeing a familiar logo in an email is no longer synonymous with safety. Vigilance remains the first and most effective protection against increasingly sophisticated forms of fraud.

According to Cyber Press, WhiteHat