Posted inSecurity

Job-related email threats remain a preferred theme for threat actors

Although job-themed threats are often very basic, it is essential to identify notable attacks and avoid falling victim to them. Emile Abou Saleh discusses how threat actors are capitalising on the pandemic by using fake job postings to steal personally identifiable information

Job-related email threats remain a preferred theme for threat actors

Threat actors have been capitalising on the pandemic by using fake job postings to steal personally identifiable information.

Recently, 300 nurses were stranded in the UAE after being promised jobs at vaccination centres and enticed with high salaries and additional benefits. Regulators such as the Dubai Financial Services Authority, law enforcement agencies including the Abu Dhabi Police and Dubai Police have already issued alerts warning people about the increase in scams and fraudulent activity on job postings.

Although job-themed threats are often very basic, some notable campaigns are worth highlighting for the attack complexity. Proofpoint’s regional director MEA, Emile Abou Saleh explains how threat actors are capitalising on the pandemic by using fake job postings to steal personally identifiable information and what can be done to avoid falling victim to them.

Job-themed phishing and unemployment fraud

Job offers or potential employment opportunities are perennially popular threat lures. As the Covid-19 pandemic has forced many people out of work, such themes can be more alluring to a wider potential victim pool.

According to the FBI, unemployment fraud – including online campaigns – cost people more than $59 million in 2020. These types of campaigns use various methods to lure victims into clicking on malicious links, downloading attachments, or sending personal data to the threat actors. The goals of these campaigns are broad and can be used for general data theft, initial access to an organisation, or to steal money from victims.

Emile Abou Saleh – regional director, Middle East & Africa at Proofpoint.

Commodity business email compromises

Business Email Compromise (BEC) threat actors are leveraging job-themed threats in ongoing campaigns. BEC email fraud is one of the most financially damaging threats to businesses of all sizes and across industries.

Senders in these campaigns use free email services such as Yahoo or Outlook, and can quickly and cheaply recreate new email addresses once malicious emails are burned or blocked by security services.

Although the goal of the threat actors in these scenarios is not clear, there are multiple outcomes typically possible if the recipient replies. One possibility is using these threats to recruit Mules, or Money Mules.

Money mules are a mechanism used to move funds around and obfuscate the fund origin. This person acts as an intermediary between attackers. Mule accounts are often set up under the guise of legitimate “work-from-home” offers.

The victim is led to believe what they’re doing is a legitimate function. The mule will often receive a portion of the money acquired during other fraudulent activities.

Another possibility is an advance-fee fraud (AFF) threat where the threat actor asks for a smaller amount of money in advance, promising a larger payout later.

While there are endless variations of these types of threats, typical attacks may impersonate a government official, a legal representative, or a person in a dire situation. The threat actor will have a story for how they have received a large amount of money, for example, a fake job offer. However, the actor cannot receive that money without paying an upfront fee and require the threat recipient’s help.

In exchange for helping, the recipient will get their money back plus a portion of the large amount. Once the threat actor receives the advanced payment, they’ll often cut all contact and disappear.

Sometimes job-themed threats will use more sophisticated tactics. In March 2021, a multi-step job-themed campaign was distributing the More_eggs downloader. More_eggs is a Javascript backdoor used to establish persistence, profile the machine, and drop additional payloads.  

The new campaigns mimic previous activities and send victims messages with subjects offering a job position. The initial message is frequently a LinkedIn connection request or another benign message regarding a job.

The actor subsequently follows up with an email message that contains a URL linking to a landing page that mimics a job site. The page initiates a download of an attachment that ultimately is used to execute the More_eggs downloader.

How to avoid falling victim of a fake job posting

Job, employment, and resume-themed phishing lures are popular mechanisms threat actors use to distribute malware, steal sensitive data, and establish initial access to target endpoints. Below are some of the key steps to reduce successful exploitation:

  • Educate users to identify and report suspicious emails. Regular phishing training and simulated attacks can help prevent attacks as well as assist in identifying people who are especially vulnerable to attacks.
  • Understand that users will eventually click on some threats. Attackers are always innovating to find new ways to exploit human nature. Find a solution that spots and blocks inbound email threats targeting employees before they reach the inbox that can manage the entire spectrum of email threats.  An organisation’s solution should analyse both external and internal emails as attackers may use compromised accounts to trick users within the same organisation. Web isolation can be a critical safeguard for unknows and risky URLs.
  • Do not accept or engage with unknown social media requests. Threat actors commonly use social media to distribute malware or establish initial connections with victims. It is best practice to not engage with, download attachments, or click on links provided by unknown users.