Social Engineering and Harvesting Personal Data with Fake Job Postings

In recent months, the FBI has been warning of an increasing number of fake job postings where malicious actors have been harvesting the personal data of job seekers for fraud purposes.

The FBI warns that malicious actors or ‘scammers’ continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money. These scammers lend credibility to their scheme by using legitimate information to imitate businesses, threatening reputational harm for the business and financial loss for the job seeker.

Since early 2019, the average reported loss from this scheme is nearly $3,000 per victim, and many victims have also reported that the scheme negatively affected their credit scores.

Interestingly, back in 2019, the North Korean APT group Lazarus, allegedly infiltrated Redbanc (a company that interconnects the ATM infrastructure of all Chilean banks) through a fake and lengthy hiring process, which included several rounds of Skype video interviews with the target. In this latter elaborate social engineering attack, the Redbanc employee was asked to download, install, and run a malicious executable as part of the recruitment process in order to generate a standard application form. The ruse worked and the APT group successfully infiltrated Redbanc’s network.

The lure in the Redbanc attack was a well-paid job opening for a software developer, posted on the professional social media site LinkedIn. Posting any well-paid job on any of the major job listing sites, would no doubt attract a significant number of applicants, or in this case, scam and social engineering victims.

The vulnerability here is that none of these sites run any checks on whether these job listings are legitimate or not. If anyone signing up to LinkedIn can post a job, this appears to be a relatively straightforward social engineering vector for a group willing to put in sufficient time and effort to come across as a legitimate hiring company.

Few job candidates are going to be closely scrutinising these job listings and the “employees” behind them. Once their trust has been gained through a number of interactions, it would be a seemingly simple task from that point to convince them that running an executable would load a basic program for a questionnaire or an application form. Asking for additional personal data would be even easier. The reward of a good well-paying job is likely going to override most security concerns for the job applicants.

Even if the jobs sites start screening companies to prevent spoofing, it would be trivial for a group to set up a shell company in a loosely regulated jurisdiction to make themselves look legitimate. The FBI’s guidance on protecting yourself from these scams isn’t much help either. One of their indicators of a fake job scammer is that “interviews are not conducted in-person or through a secure video call”. Sign up for a free Zoom account and you too can avoid looking like a scammer.

This isn’t going to be an easy security problem to solve, unless jobs listings sites start doing heavy due diligence on anyone posting a job, as well as applicants taking extra measures to verify that the companies they apply for and the individuals with whom they speak are all legitimate. Perhaps it’s time job applicants started requesting ID and references from recruiters and hiring managers.