Phishing Campaign Targets Job Seekers, EmployersAttackers Exploit Economic Downturn by Deploying Malware in Resumes, ID Attachments
Threat actors are exploiting the ongoing economic downturn by using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.
The phishing campaigns target job seekers by sending emails that purport to be from a recruitment agency, asking them to provide personal information or login credentials. The malware campaign attempts to drop prominent malware such as AgentTesla, Emotet, Cryxos Trojans and Nemucod on victims' devices.
"These emails look legitimate but are designed to steal sensitive information such as passwords or financial information. The malware can then be used to steal sensitive information or to gain unauthorized access to the job seeker's device and the information stored on it," according to a report from cybersecurity firm Trellix.
Trellix researchers also observed that attackers are posing as job seekers to target employers. The attackers send specially crafted emails delivering malware through attachments or URLs that are disguised as applicant resumes or identification documents.
"This type of attack is becoming increasingly common as cybercriminals take advantage of the high volume of job applications that employers receive," says Daksh Kapur, research scientist at Trellix. "The goal of these attacks is to gain unauthorized access to sensitive information, steal personal data and disrupt the operation of the organization. We have also observed APT groups leveraging job-themed emails to deliver malware."
Attackers also are using fake or stolen documents such as Social Security numbers and driver's licenses to make emails look legitimate and increase the credibility of the email, "making it more likely that the recipient will fall for the scam," Kapur says.
Cybercriminals and state-sponsored groups are creating typosquatting domains of popular job websites to target job seekers, Kapur says. Typosquatting is a social engineering attack in which attackers use misspelled domains for malicious purposes.
"These domains are like the legitimate websites, but with slight variations such as misspelled words or different extensions," Kapur says.
The domains trick job seekers into thinking they are applying for a job through a legitimate website, when in fact they are providing their sensitive information to cybercriminals.
Kapur also says that the researchers have observed an increase in registration of new typosquatted domains for jobs-related domains such as LinkedIn, Indeed and others. Some of the examples of typosquatting domains observed by Trellix are indeed-id.com, indeed-7.com, indeed-a.com, indeed.ch, indedd.com, linkhedin.com, linkegin.com and linkednn.com.
More than 70% of the job-related cyberattackers are targeting the United States, the Trellix report says. Other targeted countries include Japan, Ireland, the United Kingdom, Sweden, Peru, India, the Philippines and Germany.
"It is crucial for both job seekers and employers to be aware of this new threat and take precautions to protect their personal and financial information," Kapur says. "The best defense against such phishing attacks is to exercise caution when receiving emails from unfamiliar sources, especially those containing links or attachments."
Researchers at cybersecurity firm ClearSky previously said that an Iranian APT group called Siamesekitten had been targeting Israeli companies in a supply chain attack campaign. The attackers lured victims with fake job offer emails that directed them to websites that downloaded malware (see: Iranian Group Targets Israeli Firms).
The campaign, dubbed DreamJob, is based on a fake LinkedIn profile that purports to belong to a job recruiter from a prominent defense firm. The researchers said fraudsters likely spent months creating the profile and interacting with the victims (see: North Korean Hackers Wage Job-Themed Spear-Phishing Attacks).