Global Threat Actors Use the ‘Great Resignation’ to Target Job Seekers

If a job offer looks too good or too weird to be true, it probably is. Global threat actors are taking advantage of “the great resignation” and targeting job seekers online with phishing links. At a Black Hat briefing this week, security experts explained where the hackers are coming from and how they’re finding success with their schemes.

PwC’s Global Threat Intelligence team identified nation-state threat actors in Iran and North Korea as the primary phishing scam culprits. According to Sveva Vittoria Scenarelli, principal cyber threat intelligence analyst at PwC, and Allison Wikoff, PwC’s director of global threat intelligence, malicious groups use email, social media, and messaging apps to lure in current employees at high-profile companies.

The groups also flood job sites such as Indeed.com and LinkedIn with posts and messages describing lucrative opportunities for remote workers. But the posts and messages usually contain links to spoofed websites that install malware on your computer or mobile device. 


What Do the Hacker Groups Want?

Many threat actors behind the job post phishing schemes have a long history of online crimes. Some of the groups are motivated by money, some want industry secrets, and others are looking to commit identity theft.

North Korea’s Black Alicanto is known in the cybersecurity community for targeting big players in the cryptocurrency market. Charming Kitten, a group based in Iran, targets journalists with phishing links in emails. Another Iran-based group, Yellow Liderc, targets US veterans looking for new jobs online. 

Yellow Dev 13 is another group from Iran, and the PwC presenters say the collective appears to be motivated by espionage. The group creates websites for non-existent companies staffed by fake recruiters and trainers. Yellow Dev 13 also posts elaborate profiles with AI-generated photos on social media sites purporting to be the imitation employees. These fake profiles can make it difficult for job seekers to verify that the recruiter contacting them is a real human offering them a legit work opportunity.


How to Avoid Job Post Phishing Scams

The most common tactic among the threat actors is to send malicious links and file attachments to their targets via email or messages. To avoid getting duped during a job search, the presenters at Black Hat recommended hovering your cursor over a link in an email to see if the web address looks legit. The problem with this advice is that it’s not hard to spoof a legitimate website’s address well enough to fool people into clicking on it. 

Pop quiz, hotshot: Without entering these addresses into your search bar, which is the correct web address for the popular job search site Indeed?

A. Indeed.jobs

B. Indeed.com

C. Indeed-jobs.com

The answer is B. If you run a Google search with the term “Indeed jobs,” the results reveal that both the first and second addresses listed above are for legitimate websites. Indeed.jobs is a site for people who want to work at Indeed, the job-posting company. Indeed.com is for job seekers looking for job postings from other companies. Indeed-jobs.com is a fake address, and I urge you not to visit it, even for curiosity’s sake.

I do not recommend clicking on any links or attachments in your emails or in LinkedIn messages you receive from senders you do not recognize. That advice is doubly important when you’re at work. Explaining to your manager that you infected the company network with malware because you opened a link about an amazing job opportunity at another company isn’t a great look.

Recommended by Our Editors


Spotting a Fake Profile or Job Post on LinkedIn

The PwC presenters also said threat actors use social engineering methods to pressure victims into clicking malicious links or opening attachments. Criminals may send their targets messages on WhatsApp or engage their victims on social media platforms such as Twitter and Facebook. 

The presenters exhibited several screenshots showing AI-generated profile photos accompanying fake LinkedIn profiles. The presenters did not point out specific characteristics to look for when determining whether a profile picture contains an image of a real human, but urged Black Hat attendees not to respond to messages from profiles that seem “a little off.”

Here are a few red flags to look out for when someone contacts you about a job on LinkedIn.

  • Look for grammar and spelling errors on the LinkedIn profile or job description. An errant typo isn’t an indication of a false post, but a job post riddled with odd colloquialisms and spelling mistakes is a post to avoid.

  • Examine the so-called recruiter’s work history. If they were a baker’s assistant at Publix three months ago, but their current job title implies they are the director of human resources at Google, do not engage. 

  • Consider the recruiter’s chatting style. Right now, the threat groups use very informal language when chatting with potential targets. The head of recruiting at Meta probably will not send you a direct message that only says, “Hey.”

  • Pressure to respond within a short time frame. If the person messaging you tells you that you must click the link they sent you within a few minutes or a few hours, or you will miss the opportunity, do not respond. 

If you encounter any of these warning signs during a message exchange on LinkedIn, simply block the profile and move on. Do not continue to talk with the scammers. They can extract valuable personal information from you via chat messages even if you manage to avoid clicking on any malicious links.


See Something, Say Something

Finally, the presenters asked employers to foster an environment of trust in the workplace. Understandably, most employees do not feel comfortable telling their managers that they think they’ve compromised the workplace while responding to a query about a job opportunity. However, if the employee reports the phishing scam promptly, the company’s security team has a chance to mitigate damage from the malware. 

Here at PCMag, we’ve covered various ways to protect yourself from phishing scams, so check out our articles instead of clicking a link from someone you don’t know.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0