The search for a new job, especially with a slow labour market in the US, has become the perfect opportunity for scammers to trap unsuspecting users. A new report from cybersecurity research firm Sublime Security, released on October 16, 2025, reveals yet another widespread credential phishing campaign where scammers try to get your login information, specifically by stealing victims’ Facebook login details.
According to Sublime’s blog post, shared with Hackread.com, targets are lured with fake job postings, mainly for Social Media Manager roles. To increase their chances of success, the scammers exploit users’ trust in well-known, reputable brands, including KFC, Ferrari, and Red Bull.
Report author Bryan Campbell noted that the methodology remained the same across all emails, which suggests the scammers used a template or an LLM (Large Language Model) to quickly launch a varied wave of attacks.
An LLM is essentially a smart computer program that can generate human-like text, allowing scammers to create many different, convincing messages faster. In this scam, the emails usually come from trusted services like Google Workspace and Microsoft 365.
How the Trap Works
When the recipient of the lure email, such as a message pretending to be from Red Bull, clicks the job link, it quickly takes the user to a fake security check with an image challenge. The victim is then directed to a fake job advertisement on a site designed to look like Glassdoor. The user is prompted to apply, which demands they log in using either their email or Facebook account.
After a failed attempt to log in with email, the victim is presented with a fake Facebook login screen. After handing over their login details, the victim is simply shown a loading bar that never reaches 100%, giving the scammers the credentials while the user waits in vain.
Spotting the Scam
Sublime Security researchers noted clear warning signs, such as a deceptive URL, like [email protected]. This link is designed to appear as if it leads to Red Bull’s site, but actually redirects to a separate rebrand.ly address.
Moreover, the scammers rely heavily on Brand impersonation as the email features the company’s logo and names like “Alexa from Red Bull Talent.” However, when observed closely, there is a clear mismatch; the sender email address and the reply-to address do not align with the brand’s actual website (redbull.com). Campbell explains that such scams are effective because they “offer opportunities too enticing to pass up.”
Part of a Larger Threat
As we know it, hackers are consistently using the job market to trick people. This Facebook-focused campaign is not an isolated incident. On October 14, 2025, Sublime exposed an identical type of scam, also reported by Hackread.com.
The attack impersonated outreach from Google Careers to steal login details from users. The quick follow-up to target Facebook credentials shows how rapidly these criminals adjust their tactics.
