Facebook credential phishing with job scams impersonating well-known companies

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Google Workspace, Microsoft 365

ATTACK TYPE: Credential phishing

Scammers increase their chances of success by keeping their scams relevant. As the U.S. faces a slowed job market, a fake job opportunity from a reputable company is very relevant bait. Earlier this week, we looked at a Google Careers phishing scam. In this post, we'll be looking at another recent attack campaign in which we saw bad actors impersonate a wide variety of well-known companies in order to credential phish targets looking for social media manager jobs. While the brands varied per message, the intent and methodology remained the same, indicating the use of a phishing kit and/or LLM to quickly create and launch a varied attack. All messages contained:

• Subject and sender relate to hiring or a job opportunity
• Highly-recognizable logo at the start of the message
• Message about an open social media manager role
• Link to a fake job listing used for Facebook credential phishing

Here are just a few examples:

Following the phish

Using the Red Bull message as an example, clicking the www.redbull@rebrand[.]ly link takes the target to a fake security check. The check includes a reCAPTCHA challenge image.

Once the challenge is completed, the target is taken to a fake Glassdoor job listing.

After clicking Easy Apply, the target is taken to a fake Glassdoor login where they can login with their email address or Facebook account.

If the victim attempts to login via email, they are taken to a contact form. After filling in the form, the target is taken back to the login window – not logged in.

After the email login fails, the victim will be presented with a fake Facebook login.

When the victim enters their Facebook credentials and click Log in, they are taken to a fake progress indicator that indicates an analysis is being performed. No analysis is being performed and the progress indicator will never reach 100%.

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this attack were:

• Deceptive URL: The phishing link is www.redbull@rebrand[.]ly, which  make it appear as if the link leads to redbull[.]com when it actually directs to rebrand[.]ly.
• Brand impersonation: The message contains a Red Bull logo, a sender display name of ”Alexa from Red Bull Talent”, and the reply-to local part of alexa.redbull-talent-recruiting.
• Mismatched brand, sender, and reply-to: The brand is Redbull (redbull[.]com), the sender is messaging-service@post.xero[.]com, and the reply-to is alexa.redbull-talent-recruiting@trustedbds.com.
• Facebook phishing: Language in message indicative of a credential phishing scam targeting Facebook accounts.

ASA, Sublime’s Autonomous Security Analyst, flagged this email as malicious. Here is ASA’s analysis summary:

Keeps scams out of inboxes

Scams are effective because they offer opportunities too enticing to pass up. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on the suspicious indicators of the scam.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

• UK Home Office visa & immigration scam targets Sponsor Management System accounts
• Callback phishing with online appointment abuse and distribution lists
• Multi-RMM attack: Splashtop Streamer and Atera payloads delivered via Discord CDN link