By: Emmett Smith and Brooke McLain, Cofense Phishing Defense Center
In Q3 2024, the Cofense Phishing Defense Center (PDC) identified a phishing campaign that impersonated several Fortune 500 companies by targeting individuals in social media and marketing positions through fake job applications. Earlier this year, the team researched how resume details have become valuable tools for threat actors in a blog titled “Job Application Spear Phishing.” Since then, the PDC has continued to monitor the use of this tactic by threat actors who have begun utilizing other well-known brands as well as refining their techniques to further deceive potential victims.
.PNG)
.PNG)
Figure 1-4: Four Big Branded Emails (Red Bull, Tesla, Google, Ferrari)
Email Body Analysis
The email body, like the ones mentioned in the previous blog post, baits the candidate with an opportunity to apply to well-respected companies (Red Bull, Google, Tesla, and Ferrari) as seen above in Figures 1-4. The threat actors use specific phrasing, such as “No pressure at all, but I thought you might want to take a look,” making the candidate more likely to learn more about this opportunity.
Another way the threat actor made this attack seem more legitimate was by spoofing various brand names while using “messaging-service[@]post.xero[.]com” as the from address. While Xero itself is a legitimate company, cybercriminals have exploited its email infrastructure in past phishing campaigns. By leveraging a trusted domain, attackers increase the likelihood of bypassing security filters and gaining the recipient’s trust.
Phishing Page Analysis
The threat actor tailors the initial URLs to each brand by using their name within the subdomain of the URL, furthering the likelihood of the candidate clicking the link. The use of up-to-date images and logos for the login pages also gives the victim a false sense of legitimacy.
The Red Bull phishing campaign follows a similar path as previously seen by Cofense, beginning with a CAPTCHA page, then a false Glassdoor landing page that prompts users to either enter their email credentials or log in through a spoofed Facebook portal designed to harvest Facebook login information.
Tesla and Ferrari use a similar path as Red Bull, but instead of redirecting to a Glassdoor landing page, they lead to a fake Facebook login page. The Tesla phish landing page has a “Thank You” message, the role the candidate is applying for, and two options to sign in. Candidates can either choose to login with their Facebook credentials or with their email address. If the email option is chosen, it goes through a few steps and then leads back to the fake Facebook login.
The Google phishing email campaign employs an alternative method. Once a user submits their email address, they are redirected to a counterfeit “X” login page, which presents other credential entry options like Google or Apple.
.PNG)
Figure 5-7: Easy Apply Button & Login Overlay
.PNG)
.PNG)
Figure 8-11: Final Phishing Page for Ferrari
Glassdoor Login Phishing Analysis
This time a new tactic that was utilized by the threat actor, compared to those mentioned in the blog referenced in the Introduction, is the request for the candidate to upload their resume for the Red Bull opportunity. In Job Application Spear Phishing, threat actors were requesting the candidate’s Personally Identifiable Information (PII) such as full name, phone number, email address, and physical address on the false Glassdoor page. But this new campaign includes the addition of requesting the user's resume, which reinforces the illusion of this being a legitimate job opportunity, as shown in Figures 12-13. The resume also allows for the threat actor to collect additional PII from the victim that can be used for further social engineering tactics.
.PNG)
.PNG%20alt=)
Figure 12-13: Additional
Conclusion
These career-themed phishing campaigns demonstrate how cybercriminals exploit job seekers’ trust by mimicking legitimate recruitment practices. By carefully crafting the emails through deceptive login prompts with legitimate logos and brands, as well as the use of multi-step processes, the threat actor creates an illusion of credibility for their campaign. With Cofense’s Managed Phishing Detection and Response, we are uniquely positioned to catch phish that have turned up in environments protected by SEGs using human intelligence, advanced technology, and real-time training.
Stage 1 - Observed Email Infection URL: | Infection URL IP(s): |
hXXps://www[.]redbull[.]com@rebrand[.]ly/redbull-interview-booking hXXps://www[.]career-tesla[.]com/#apply hXXps://rebrand[.]ly/ferrari-recruits | 76[.]76[.]21[.]93 66[.]33[.]60[.]35 15[.]197[.]137[.]111 |
Stage 2 - Observed Payload URL(s): | Payload IP(s): |
hXXps://redbull-social-media-manager[.]job-apply-now[.]com/candidate-100052701 hXXps://redbull-social-media-manager[.]job-apply-now[.]com/login_job
hXXps://bck-2qw8[.]onrender[.]com/api/create/user
hXXps://careers-ferrari[.]com/ | 38[.]114[.]120[.]167 146[.]70[.]81[.]214 64[.]29[.]17[.]1 64[.]29[.]17[.]65 |
All third-party trademarks referenced by Cofense, whether in logo form, name form, or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of endpoint protections are based on observations at a point in time, based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.