Threat actors used the servers of a French governmental employment center Pôle Emploi to trick users into revealing their credentials.
The exploit, discovered by researchers at threat detection firm Vade, allowed hackers to masquerade phishing links within legitimate documents sent from legitimate government servers.
Attacks were carried out using a legitimate service, Pôle Emploi, a French government service that helps unemployed citizens to find vacancies. The way the system is designed allows threat actors to choose their victims carefully.
The first stage of the attack starts when a targeted company publishes a legitimate job ad on Pôle Emploi's website.
Threat actors then respond to the ad. In their reply, hackers attach a PDF file of a resume containing a malicious link.
Since Pôle Emploi functions as a mediator between the job seeker and a potential employer, it generates an email on behalf of the unemployed and delivers it to a company that posted the ad.
"This new technique is particularly efficient because the generated email is coming from legitimate Pôle Emploi servers, a legitimate sender, and a legitimate IP address," Vade researchers wrote in a blog post.
Going for the win
Hackers added a message to accompany the malicious PDF to make the scam even more convincing. The note explains that the recruiter needs to open the PDF to access the resume.
The message even acknowledges that there's a link inside the PDF. However, the URL's true purpose is a safety measure: a necessity to update Pôle Emploi's recruiting account.
Following the link leads the victim to a phishing site, made to resemble Pôle Emploi, and lures victims to enter credentials they use to access the system.
The account is, in fact, the primary goal of the hacker, not the recruiter. According to Vade researchers, access to an employment service's database is a treasure trove to threat actors as it contains data on individual users and companies.
More from Cybernews:
Subscribe to our newsletter