Two sentences summarizing the content: Scammers impersonate recruiters to target job seekers amid tech layoffs, using fake postings, portals, and forms to harvest personal data and potentially extort victims. The campaign relies on newly registered domains, copied real postings, and social-engineering steps from initial contact to fake interviews and onboarding. Hashtags: #Zscaler #LinkedIn #SmartRecruiters #Netflix #TotalEnergies #KONE
Keypoints
- Threat actors masquerade as recruiters from specific companies, primarily located in the US and Canada.
- Malicious new domains are registered on hosting providers like Namecheap.
- Attackers scrape and reuse the contents of real job postings from public sites like SmartRecruiters and LinkedIn to convince applicants the post is legitimate.
- Fake application forms steal sensitive personal information from victims and may be sold, used for fraud, and to further target and extort victims.
- Newly Registered Domains (NRD) are commonly used by threat actors and these have suspicious Top-Level Domains (TLDs) such as .online, .work, .live, etc. typically followed by the name of the actual hiring organization the attackers are impersonating.
- The campaign includes steps from initial contact on LinkedIn to fake interviews (Skype) and a fake onboarding process, sometimes requesting payments or sensitive data (SSNs, bank info).
- Threat infrastructure often includes look-alike domains and compromised or impersonated corporate branding to appear credible.
MITRE Techniques
- [T1566.002] Spearphishing via Service β LinkedIn outreach as Zscaler recruiters targets job seekers on LinkedIn. Brief description: connects to initial contact via a social platform to lure victims. Quote: [βThe threat actor(s) positioned themselves as Zscaler recruiters targeting job seekers on LinkedIn.β]
- [T1566.003] Spearphishing Link β Fake job postings and links leading to fraudulent application portals; attackers copy legitimate postings to appear credible. Brief description: uses fake postings and links to collect data. Quote: [βThis fake listing was created by a scammer from an active Zscaler job posting listed on SmartRecuiters, however the attackers made one change, lowering the years of experience requirement to attract more potential victims.β]
- [T1036] Masquerading β Impersonation of a legitimate recruiter via credible artifacts (e.g., Skype profile photo) to fool victims. Brief description: impersonation in communications. Quote: [βThe Skype invitation provided in the email shows a profile photo of an actual Zscaler recruiter.β]
- [T1583.001] Acquire Infrastructure β Newly Registered Domains used to host the fraud; NRD with suspicious TLDs. Brief description: domain creation and use in attacks. Quote: [βThe malicious domain used in this scam β zscaler-finance-analyst-strategy.live, was created on 23-Jan-2022.β]
Indicators of Compromise
- [Domain] Domains used to masquerade as Zscaler β zscaler-finance-analyst-strategy.live, zscalercareers.co, and 11 more domains