From Meta to Coca-Cola to Balenciago, hackers posing as recruiters from Fortune 500 companies looking for their next star employee are targeting the social media and marketing industry as part of a new spear phishing campaign, new research has found.
The sophisticated phishing campaign, which began in late summer 2024, is aimed primarily at social media and marketing professionals, according to research published Wednesday by the email security firm Cofense.
Researchers say the threat actors are targeting already employed individuals with fraudulent emails enticing them to fill out applications for fake job offers from major Fortune 500 branded companies, including Meta, Coca-Cola, PayPal, and Red Bull, to name a few.
Social media professionals in the finance and insurance industries happened to be the most targeted population observed by Cofense, followed by those working in retail and manufacturing, and then the healthcare sector.
Unlike typical phishing scams that focus on stealing usernames and passwords, this campaign is out to steal job application details such as past work experience and formal education history, which can be used by hackers to commit identity theft and customize future attacks.
Often referred to as “uncommon personally identifiable information” (PII) and easily lifted from a resume, the researchers say this valuable type of PII can “not only be sold for fraudulent purposes but also used to answer security questions and circumvent identity verification.”
“For instance, a bank account password can be bypassed if a security question asks what the name of an employer was in 2015 or the location of the victim’s university,” Cofense said.
Additionally, the stolen personal information could allow attackers to answer security questions and reset the password to other accounts owned by the victim, the research said.
“Future attacks can be further personalized to include industry, conferences, or student loans,” Cofense warned.
The phishing emails dissected
The highly targeted campaign uses a variety of email styles to target its victims, “from simple and direct to highly personalized and verbose,” Cofense said.
The researchers believe the information used to target the victims was most likely gleaned through open-source intelligence (OSINT), meaning taken directly from what’s publicly available on the web.
Some of the emails were said to be chock full of information pertaining to the victim, such as their job role and responsibilities. The emails would also contain typical social media industry jargon – including phrases like customer relationship management (CRM), brand amplification, data harnessing, and customer engagement – making them highly sophisticated.
Once the email was opened, recipients were directed to click a phishing link to apply for that particular job, landing them on either an “optional captcha page to hinder automatic analysis," a spoofed Facebook page, or a fake job application page created to steal even more information.
These “tailored subdomains” would appear to be from the spoofed company asking the victim to input their emails and phone numbers, with others asking the victims to fill out complete job applications.
These phishing pages were often active for less than 24 hours, making them harder to detect, with some only active for less than three hours, Cofense said.
Although emails spoofing Meta made up the largest percentage of emails in this campaign, Cofense said the ones from Coca-Cola and Red Bull were also highly effective because of the companies' significant advertising presence.
Your email address will not be published. Required fields are markedmarked