Job Application Spear Phishing - SharITSec

Author: Jacob Malimban, Intelligence Team

Job Application Spear Phishing with Fortune 500 Companies

Starting in Q3 2024, Cofense Intelligence detected an ongoing campaign targeting employees working in social media and marketing positions. In this campaign, marked employees were encouraged to apply to a social media manager position in a Fortune 500 company. Meta, Coca-Cola, PayPal, and other brand name companies were spoofed to send fake job applications to prospects.

Unlike other credential phishing campaigns, this one also stole job application details. This includes work experience from previous employers and higher education obtained through formal institutions. Uncommon personally identifiable information (PII) can be quite valuable to threat actors. This is because uncommon PII can not only be sold for fraudulent purposes but also used to answer security questions and circumvent identity verification. For instance, a bank account password can be bypassed if a security question asks what the name of an employer was in 2015 or the location of the victim’s university.

Key Points

• Fortune 500 and other brand name companies were spoofed and used as a phishing lure.
• The campaign targeted only the company’s social media, marketing, and related employees.
• Phishing pages were often active for less than a day in this campaign.
• Resume information including experience and education were also stolen.
• Threat actors have many uses for uncommon PII, like bypassing identity verification.

Phishing Email Content

Figure 1: November 2024 email spoofing Coca-Cola with a malicious URL that bypassed SEGs.

The emails in this campaign ranged from simple and direct to highly personalized and verbose. In the simpler emails, there were fewer details regarding the job or recipient. The recipient was quickly told to click on the link and apply. The advanced emails had many changes. The victim’s information in the footer, legitimate job duties, and the use of jargon such as CRM (customer relationship management) indicated a remarkable level of sophistication. It included details about the job including brand amplification, data harnessing, and customer engagement—all current social media manager responsibilities.

Fortune 500 Companies Spoofed

Meta coming in as the top impersonated brand offering a social media manager role should not be a surprise. A phishing victim may think the job application is legitimate as Meta owns many social media platforms and likely tests what strategies are most effective for engagement. Coca-Cola being spoofed is similarly expected: Coca-Cola had a large advertising presence during print media and continues to do so in the digital age. Compare these impersonated brands to the top ones previously seen at Cofense: Microsoft, Adobe, and Webmail.

Figure 2: Emails spoofing Meta made up the largest percentage of emails in this campaign.

The Social Media Manager Campaign

Mirroring other credential phishing campaigns, this campaign also follows the trend of using tailored subdomains. The credential phishing pages contain the spoofed company, be it PayPal or Red Bull. Victims who clicked on the phishing link would either arrive at an optional CAPTCHA page or be directed to the phishing page.

Figure 3: CAPTCHA in spoofed Coca-Cola job application page to hinder automatic analysis.

After the optional CAPTCHA page, the victim would be prompted to enter their email and phone number. This can be seen in Figure 4. Clicking the “Continue with Facebook” button would prompt the Facebook email address and phone number to appear. The “Jobs,” “FAQs,” “Locations,” and “Talent Communities” all redirect to the real company website—Red Bull in the case of Figure 4.

Figure 4: A Red Bull-spoofing account creation page to access the “job application.”

Job Applicant Data Exfiltration

Some versions of this campaign only stole the email address and phone number; others redirected users to the job application. In the advanced variation, more PII and other sensitive information were at risk.

Figure 5: Education and work experience also stolen in this Meta-spoofing “job application.”

Similarly to real job applications, resume information was collected. Uncommon information exfiltrated by this campaign include education and work experience. Higher education is also categorized as PII and should be protected from threat actors. Employment information like previous job duties is likewise valuable to a threat actor. An attacker could use this information to answer security questions and reset the password to other accounts owned by the victim. These types of information can also help a threat actor customize future attacks to the same target. Future attacks can be further personalized to the recipient to include industry, conferences, or student loans.

Who Was Targeted?

Figure 6: Finance-themed industries were the most targeted in this social media job application phishing campaign.

This campaign was highly targeted. The recipients of the phishing emails were currently employed in social media, marketing, or related roles. Threat actors likely conducted open-source intelligence (OSINT) to research this information from other sources. The only similarity between the industries appears to be the roles targeted: social media and related employees.

The phishing websites were also short-lived. In this campaign the websites rarely stayed active longer than a day—some were accessible for only three hours.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: https://cofense.com/feed/blog/job-application-spear-phishing

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics