Executive Summary
Fortra is monitoring a large-scale, active phishing campaign impersonating brands such as NVIDIA, GlassDoor, Red Bull, and more with fake job listings. First discovered in June, the campaign has appeared across multiple Fortra clients, with hundreds of phish abusing legitimate domains and falsely branded websites to capture user credentials.
The social engineering tactics used in this email campaign leverage trust in known and respected brands and services for job seekers. This, in addition to the well-branded and convincing infrastructure, pose significant risks to both users and organizations whose employees reuse passwords tied to their personal accounts for corporate logins.
Introduction
Fortra's FIRE team is tracking a new phishing campaign employing effective social engineering tactics and the impersonation of reputable brands. This widespread campaign targets inboxes indiscriminately, and the threat actor(s) have employed several methods of harvesting credentials of hopeful job seekers.
The attack begins in the form of a seemingly normal email about a job opportunity that the recipient is being considered for. This is immediately followed by a prompt for the recipient to “Schedule Call” with a recruiter.
They then are redirected to a convincing phishing site imitating a popular service for scheduling meetings, Calendly. As described later in this write-up, deceitful domains are employed to impersonate these brands.
What happens next will vary and indicates the actor is working from a template or phishing kit. In some instances, the user will have to complete a captcha challenge before proceeding and fill out a form with personal information, and in others they are immediately asked to select a date and time for a meeting. Eventually, both are prompted to enter Facebook or Google login credentials.
How it Works
The threat actors in this campaign attempt to break down defenses by leveraging trust in recognized brands. Impersonating a well-known enterprise such as Marriott and personalizing the email to the recipient’s name gives an impression of authenticity. Along with the flashy titles and expressed interest in the recipient’s expertise or profile as a candidate, it is clear the intentions are to guarantee the victim will click on the embedded link.
It is worth noting that salesforce.com, one of the domains employed as a sender in this campaign, tends to be widely trusted by companies' defenses. Many legitimate enterprises use Salesforce and generate notifications with this domain. This makes it much more difficult for security teams to filter out these phishing attempts. Mitigation here will rely on educating people on the red flags and risks and employing an effective system to report these suspicious emails for deeper analysis in a safe environment.
If the target victim clicks on the link within the body of the email, they will land on the intended phishing site without much obstacle. Where we’d normally see geo-blocking or other techniques to avoid being investigated, this campaign showed little intention to hide behind those more technically complex methods.
In the example below, the phishing site is hosted on a commonly abused domain vercel.app, a website development and hosting platform. The phishing site displays the logo and name of Calendly, a well-known and trusted service commonly used to schedule meetings. This should be a significant red flag for anyone analyzing this content as Calendly owns their own domain and does not host content on the Vercel platform.
After selecting a date and time, the victim is prompted to enter their Facebook credentials. It’s difficult for anyone to know unless they are already familiar with the Calendly service, but there is usually no requirement to provide third-party authentication.
The stolen credentials are then sent through a telegram message, a very common way for threat actors to keep track of all those stolen credentials.
A More Convincing Example
One of the more convincing examples is the impersonation of Adecco, a large human resources provider and temporary staffing firm. At first, the domain hosting this malicious content seems like a legitimate Adecco website. Upon further investigation, we can see that it is a recently registered domain, with an expiry set for only a year in the future.
Convinced they are interacting with a legitimate staffing firm, the victim then enters their personal information in the form presented on the same site.
The site then presents a Google sign-in screen and prompts the victim for their credentials. There is no redirection to an actual Google website. This is still a malicious site. Once provided, the stolen credentials will be stored in the same directory where this content lives.
The Fortra FIRE team also observed phish within this campaign impersonating Nvidia. The tactics employed in these examples are very similar to those already described. The use of the Calendly name repeats in the subdomain in the Nvidia example.
Glassdoor, another well known and respected platform for job seekers, is also used in conjunction with a Red Bull impersonation attempt - by far the most impersonated brand in this phishing campaign. All of these messages are coming from the same sender: [email protected]
Final Thoughts
It only takes one employee reusing their Google or Facebook password for their corporate email account to result in a significant risk of a data breach, business email compromise, or infection of systems down the line.
Organizations should invest in personnel training against emerging social engineering tactics and have systems in place to report, analyze and block these attacks before they reach the employee’s inbox.
Our recommendations:
Organizations should invest in training and ensure employees are aware of these trends, these social engineering tactics, and how they may be vulnerable to them.
Enforce strong password policies and hygiene practices. There should not be any reuse of passwords between personal and corporate accounts.
Email and endpoint protection systems should be employed for monitoring.
Enable effective reporting mechanisms for suspected phishing emails and for them to be analyzed by security teams.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
