July 6, 2023 By Jonathan Reed 4 min read

Job recruitment scams have grown into a huge problem. The BBB reports that in the U.S. and Canada alone, an estimated 14 million people are exposed to job scams every year, with $2 billion in direct losses annually. These attacks hurt individuals and the companies they work for, as well as the organizations that the fraudsters impersonate.

In job scams, actors seek to extract sensitive information or commit financial fraud. Meanwhile, other groups use employment scams for backdoor deployment. These deployments enable remote access to systems and are the most common type of attack action found in a recent IBM X-Force report.

As per Mandiant, the espionage group UNC2970 targets LinkedIn users by using phony accounts posing as job recruiters. These accounts skillfully mimic the identities of legitimate users. From there, scammers carefully build rapport with targets to increase the likelihood of data extraction or network breach. Actors then deliver a phishing payload to a target’s email or directly over a messaging platform. The end goal is to deploy a backdoor and other malware families.

Hidden threats in job recruitment scams

Imagine you’re desperately looking for work and a representative from a recognized firm reaches out to you. You’re thrilled, right? To get on board with the company, they will ask you for information, such as your bank account numbers, social security number, birthday and address. They might also send you a file to download, such as a W2 form or job description.

If the offer is from a job scam group, then you’ve just given up personal data or downloaded malware. And if you’re a business owner, and your employees are looking for work on the job, you’ve just suffered a breach.

Many job seekers look to sites such as Indeed, LinkedIn, ZipRecuiter, Flexjobs and Craigslist to find employment. Freelancers also look for work on sites like Upwork, Fiverr and Freelancer.com. However, these platforms have no easy way to identify infiltrators posting fake job listings. Some job seekers might even receive a phishing email with a fake job offer that looks legitimate.

FBI alert and advice about job recruitment scams

In 2022, the FBI released an alert regarding job recruitment scams. According to the alert, fraudulent job postings are increasingly common on popular employment networking websites. The success of these scams involves exploiting a lack of robust security measures on some recruitment sites.

Scammers can post fake job ads, including on legitimate company pages. Both job seekers and the impersonated company can find it challenging to distinguish between real and fraudulent postings. Even worse, scammers also duplicate authentic job ads, modify contact details and post counterfeit listings on other job networking platforms.

Fraudulent job listings often contain links and contact information that lead applicants to fake websites, email addresses and phone numbers controlled by criminals. The actors take great care to make their fake information look authentic, including using logos, images and email addresses that closely resemble the real thing.

In some cases, actors may steal the identities of actual company employees to make their posts seem more legitimate. This deception can even continue forward into fraudulent interviews and hiring processes. This makes it all the more difficult for job seekers to detect the scam before it’s too late.

The widespread damage from job recruitment scams

The damage to job seekers can occur in various forms. First, the theft of personal data can lead to extortion or identity theft. Employment scammers also conduct fraud schemes, such as:

  • Paid Training: The victim is told that part of job onboarding includes training that the victim must pay for. The fake employer promises reimbursement that never arrives. Fake training sites may be part of the overall scam.
  • Product Purchase: Scammers tell new “hires” they need a new iPhone, computer or other special equipment to begin work. The actors tell victims they will pay the difference with the first paycheck, which never arrives.
  • Merchandise Sales: Victims are duped into reselling illegally purchased goods paid for with stolen credit cards. Of course, they never receive payment for the work. Later, the police may show up at their address since it’s a lead in a fraud investigation.

Some ways to thwart these job recruitment scams include:

  • Double-check with the company’s HR department directly about the legitimacy of the job offer
  • Steer clear of any job offer that includes you having to pay for something
  • If you are contacted via a freelancer platform, keep all communications on the platform until you are officially hired or contracted
  • Beware of offers that seem to be too good to be true
  • Remain vigilant against phishing emails that may look legitimate. Treat any cold contact with suspicion.

The threat to enterprises

As mentioned earlier, Mandiant reported that the threat group UNC2970 uses sophisticated fake LinkedIn accounts to fool job seekers. Once UNC2970 gains confidence with the target, the actor sends a phishing payload that mimics a job description. The payloads are Microsoft Word documents that threat actors have embedded with macros to perform a remote-template injection. This enables the execution of a payload from a remote command and control (C2).

The group’s main goal is to deploy PLANKWALK, a backdoor written in C++ that communicates over HTTP to execute an encrypted payload. From there, a wide range of custom, post-exploitation tooling can be deployed.

One such tooling is SIDESHOW, a multi-threaded backdoor that uses RC6 encryption and supports at least 49 commands. Capabilities include arbitrary command execution (WMI capable); payload execution via process injection; service, registry, scheduled task and firewall manipulation; querying and updating Domain Controller settings; creating password-protected ZIP files and more.

Enterprise mitigation tactics

As per Mandiant, some recommendations for enterprises to protect against UNC2970 backdoor-type threats include:

  • Cloud-Only Accounts: Utilize cloud-only accounts for privileged access within Azure AD. Privileged access should never be assigned to synced accounts from on-premises identity providers such as Active Directory.
  • Strong Multi-Factor Authentication Methods: MFA enhancements for non-privileged users should include contextual information regarding the MFA request. This can include number-matching, application name and geographic location. For privileged accounts, authentication can involve the enforcement of hardware tokens or FIDO2 Security Keys, plus requiring MFA for each sign-in regardless of location.
  • Privileged Access Management (PAM): PAM solutions provide authorized access when requested for a specific duration of time. This includes an approval flow prior to providing account access to a highly privileged role.

Treacherous job recruitment market

Looking for a new job is stressful, and threat groups have made it even more challenging. Now more than ever, it’s critical to be aware of these threats. From the individual looking for gainful employment to enterprises assessing their risks, it’s time to raise awareness about job recruitment scams.

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today