Recruitment Phishing Scams: Fake Job Offers Spread Malware

Fraud Warning from Red Bull Policy Center

It has come to light that the Red Bull brand is being exploited by third parties for fraudulent activities, especially online and through email. These scams primarily aim to extract money or sensitive personal and financial information from victims, commonly referred to as “phishing”.

Red Bull emphasizes the importance of protecting its trademarks and ensuring that its name, logo, and brand are not misused for fraudulent purposes. The company is actively working to shut down such activities.

Important Red Bull Policies:

• Red Bull does not send emails from public email accounts like GMX, Hotmail, or Gmail.
• No prepayments are requested for handling fees related to advertisement campaigns or job offers.
• Products are not delivered directly after prepayment to an intermediate distributor or escrow account.

Common Fraud Examples:

1. Promotion Scam: Scammers may inform recipients about an alleged Red Bull promotion campaign, asking for personal data to participate.
2. Lottery Scam: Victims receive messages claiming they have won money in a lottery organized by Red Bull, which does not organize such lotteries.
3. Employment Scam: Fraudsters send fake recruitment forms offering non-existent job opportunities using Red Bull’s name.
4. Car Advertisement Scam: Victims are misled into believing they will be compensated for placing Red Bull ads on their cars.
5. Export Scam: Fraudsters pose as official distributors offering Red Bull products at below-market prices, demanding advance payments before disappearing.

If you encounter suspicious offers, check the sender’s background and website professionalism. Report any doubts to local authorities.

For reporting fraud, contact Red Bull at brandprotection@redbull.com.

Anatomy of a Recruitment Phish

A recent experience reveals a recruitment phishing attempt on LinkedIn. The phisher posed as a recruiter for Ripple, presenting a job description that seemed legitimate.

Upon expressing disinterest due to a lack of required experience, the recruiter insisted that it didn't matter. This raised initial concerns. Subsequently, the recruiter offered a high compensation figure, and asked for an email address, leading to a Slack invitation for further communication.

The conversation progressed to a take-home Python coding test without an initial phone call, which is uncommon in typical hiring processes. This raised additional red flags.

After receiving a suspicious coding test file, the individual discovered malicious code hidden within. The inspection revealed backdoor capabilities, designed to send data to a remote server.

This incident underscores the necessity for vigilance against such scams, especially when recruiters bypass standard processes and use non-professional email addresses.

Fake Recruiters and Banking Trojan

Cybersecurity researchers have identified a mobile phishing campaign distributing an updated version of the Antidot banking trojan. Attackers masquerade as recruiters, enticing victims with fraudulent job offers.

Victims download malicious applications disguised as legitimate apps, which eventually install the banking trojan on their devices. The updated Antidot Banker, labeled AppLite, can siphon unlock PINs and remotely control infected devices.

The phishing strategy often promises lucrative job opportunities, leading victims to download applications from phishing pages. Once installed, these applications facilitate further malicious activity, including stealing credentials and enabling unauthorized access.

Zimperium researchers uncovered a network of fake domains used for distributing malware-laden APK files. The malicious app employs various manipulative tactics, including requesting permissions to overlay device screens and carrying out harmful operations.

DarkGate Malware via Fake Job Offers

Threat actors are leveraging fake job offers on LinkedIn, particularly for a position at Corsair, to distribute DarkGate malware. This phishing activity was detected by cybersecurity firm WithSecure, linking it to Vietnamese cybercriminal groups.

These campaigns target users in social media management roles, enticing them to download malicious files that eventually lead to malware installation. The downloaded ZIP file contains scripts that facilitate the malware deployment process.

Once installed, DarkGate attempts to uninstall security products and carry out further malicious activities, including stealing sensitive information. LinkedIn has introduced features to combat such abuses, but vigilance remains crucial.

Recruitment Phishing Scam Imitates Hiring Process

A phishing campaign is utilizing CrowdStrike’s branding to deliver malware disguised as a fake application. This tactic mimics legitimate recruitment processes to deceive potential victims into downloading malicious software.

To protect against these scams, individuals are encouraged to verify the authenticity of job offers and recruiters, ensuring that communications come from official channels and domains.

Organizations should implement robust security measures to detect and mitigate the risks associated with recruitment phishing scams.