In Q3 2024, Cofense Intelligence uncovered a targeted spear-phishing campaign aimed at employees working in social media, marketing, and related roles.
The attackers impersonated Fortune 500 companies, including Meta, Coca-Cola, and PayPal, to lure victims into applying for fake job opportunities as social media managers.
Unlike traditional credential phishing campaigns, this operation also exfiltrated sensitive job application details such as education history and work experience, which can be exploited for identity theft or bypassing security measures.
The phishing emails varied in complexity. Simpler versions provided minimal details and urged recipients to click on a link to apply for the position.
Advanced versions demonstrated a higher level of sophistication, incorporating personalized information, legitimate job descriptions, and industry-specific jargon such as “CRM” and “data harnessing.”
These elements increased the perceived legitimacy of the fraudulent emails.
The campaign also utilized tailored subdomains to mimic the spoofed companies’ websites.
In some cases, victims encountered an optional CAPTCHA page before being redirected to the phishing site.
Data Theft Beyond Credentials
The campaign’s primary objective extended beyond stealing login credentials.
Victims were prompted to provide personal information such as email addresses, phone numbers, educational qualifications, and employment history.
Resume data collected through these phishing pages included uncommon personally identifiable information (PII), such as previous employers and university details.
This type of PII is particularly valuable to threat actors as it can be used to answer security questions or reset account passwords.
Additionally, such information enables attackers to craft more targeted future attacks.
Some phishing pages redirected victims to legitimate company websites after collecting their data, further masking the fraudulent activity.
For instance, phishing sites impersonating Red Bull included links labeled “Jobs,” “FAQs,” and “Talent Communities” that directed users to Red Bull’s official website.
Short-Lived Phishing Pages with High Impact
The phishing websites used in this campaign were designed for short-term use, often remaining active for less than a day sometimes as brief as three hours.
This limited window of activity likely aimed to evade detection by automated security systems.
The attackers also employed open-source intelligence (OSINT) techniques to identify potential targets within specific industries.
While the targeted roles were primarily in social media and marketing, there was no clear pattern among the industries affected apart from the professional functions of the victims.
According to Cofense Report, this campaign underscores the evolving tactics of cybercriminals who now exploit job seekers by leveraging trusted brand names and sophisticated methods.
The stolen information not only poses immediate risks but also equips attackers with tools for long-term exploitation through highly personalized attacks.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free