Job recruitment scams have grown into a huge problem. The BBB reports that in the U.S. and Canada alone, an estimated 14 million people are exposed to job scams every year, with $2 billion in direct losses annually. These attacks hurt individuals and the companies they work for, as well as the organizations that the fraudsters impersonate.

In job scams, actors seek to extract sensitive information or commit financial fraud. Meanwhile, other groups use employment scams for backdoor deployment. These deployments enable remote access to systems and are the most common type of attack action found in a recent IBM X-Force report.

As per Mandiant, the espionage group UNC2970 targets LinkedIn users by using phony accounts posing as job recruiters. These accounts skillfully mimic the identities of legitimate users. From there, scammers carefully build rapport with targets to increase the likelihood of data extraction or network breach. Actors then deliver a phishing payload to a target’s email or directly over a messaging platform. The end goal is to deploy a backdoor and other malware families.

Hidden threats in job recruitment scams

Imagine you’re desperately looking for work and a representative from a recognized firm reaches out to you. You’re thrilled, right? To get on board with the company, they will ask you for information, such as your bank account numbers, social security number, birthday and address. They might also send you a file to download, such as a W2 form or job description.

If the offer is from a job scam group, then you’ve just given up personal data or downloaded malware. And if you’re a business owner, and your employees are looking for work on the job, you’ve just suffered a breach.

Many job seekers look to sites such as Indeed, LinkedIn, ZipRecuiter, Flexjobs and Craigslist to find employment. Freelancers also look for work on sites like Upwork, Fiverr and Freelancer.com. However, these platforms have no easy way to identify infiltrators posting fake job listings. Some job seekers might even receive a phishing email with a fake job offer that looks legitimate.

FBI alert and advice about job recruitment scams

In 2022, the FBI released an alert regarding job recruitment scams. According to the alert, fraudulent job postings are increasingly common on popular employment networking websites. The success of these scams involves exploiting a lack of robust security measures on some recruitment sites.

Scammers can post fake job ads, including on legitimate company pages. Both job seekers and the impersonated company can find it challenging to distinguish between real and fraudulent postings. Even worse, scammers also duplicate authentic job ads, modify contact details and post counterfeit listings on other job networking platforms.

Fraudulent job listings often contain links and contact information that lead applicants to fake websites, email addresses and phone numbers controlled by criminals. The actors take great care to make their fake information look authentic, including using logos, images and email addresses that closely resemble the real thing.

In some cases, actors may steal the identities of actual company employees to make their posts seem more legitimate. This deception can even continue forward into fraudulent interviews and hiring processes. This makes it all the more difficult for job seekers to detect the scam before it’s too late.

The widespread damage from job recruitment scams

The damage to job seekers can occur in various forms. First, the theft of personal data can lead to extortion or identity theft. Employment scammers also conduct fraud schemes, such as:

  • Paid Training: The victim is told that part of job onboarding includes training that the victim must pay for. The fake employer promises reimbursement that never arrives. Fake training sites may be part of the overall scam.
  • Product Purchase: Scammers tell new “hires” they need a new iPhone, computer or other special equipment to begin work. The actors tell victims they will pay the difference with the first paycheck, which never arrives.
  • Merchandise Sales: Victims are duped into reselling illegally purchased goods paid for with stolen credit cards. Of course, they never receive payment for the work. Later, the police may show up at their address since it’s a lead in a fraud investigation.

Some ways to thwart these job recruitment scams include:

  • Double-check with the company’s HR department directly about the legitimacy of the job offer
  • Steer clear of any job offer that includes you having to pay for something
  • If you are contacted via a freelancer platform, keep all communications on the platform until you are officially hired or contracted
  • Beware of offers that seem to be too good to be true
  • Remain vigilant against phishing emails that may look legitimate. Treat any cold contact with suspicion.

The threat to enterprises

As mentioned earlier, Mandiant reported that the threat group UNC2970 uses sophisticated fake LinkedIn accounts to fool job seekers. Once UNC2970 gains confidence with the target, the actor sends a phishing payload that mimics a job description. The payloads are Microsoft Word documents that threat actors have embedded with macros to perform a remote-template injection. This enables the execution of a payload from a remote command and control (C2).

The group’s main goal is to deploy PLANKWALK, a backdoor written in C++ that communicates over HTTP to execute an encrypted payload. From there, a wide range of custom, post-exploitation tooling can be deployed.

One such tooling is SIDESHOW, a multi-threaded backdoor that uses RC6 encryption and supports at least 49 commands. Capabilities include arbitrary command execution (WMI capable); payload execution via process injection; service, registry, scheduled task and firewall manipulation; querying and updating Domain Controller settings; creating password-protected ZIP files and more.

Enterprise mitigation tactics

As per Mandiant, some recommendations for enterprises to protect against UNC2970 backdoor-type threats include:

  • Cloud-Only Accounts: Utilize cloud-only accounts for privileged access within Azure AD. Privileged access should never be assigned to synced accounts from on-premises identity providers such as Active Directory.
  • Strong Multi-Factor Authentication Methods: MFA enhancements for non-privileged users should include contextual information regarding the MFA request. This can include number-matching, application name and geographic location. For privileged accounts, authentication can involve the enforcement of hardware tokens or FIDO2 Security Keys, plus requiring MFA for each sign-in regardless of location.
  • Privileged Access Management (PAM): PAM solutions provide authorized access when requested for a specific duration of time. This includes an approval flow prior to providing account access to a highly privileged role.

Treacherous job recruitment market

Looking for a new job is stressful, and threat groups have made it even more challenging. Now more than ever, it’s critical to be aware of these threats. From the individual looking for gainful employment to enterprises assessing their risks, it’s time to raise awareness about job recruitment scams.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today