Phishing from Home, The Hidden Danger in Remote Jobs Lurking in Tesla, Google, Ferrari, and Glassdoor

MITRE Techniques

• [T1566] Phishing – Attackers sent spear-phishing emails impersonating Red Bull, Tesla, Google, and Ferrari to lure candidates (“…baits the candidate with an opportunity to apply to well-respected companies…”).
• [T1598] Phishing for Information – Credential harvesting via fake Glassdoor, Facebook, and X login pages to collect email and social login credentials (“…prompts users to either enter their email credentials or log in through a spoofed Facebook portal designed to harvest Facebook login information”).
• [T1189] Drive-by Compromise (Use of malicious links) – Use of tailored URLs and subdomains containing brand names to trick users into visiting phishing pages (“…tailors the initial URLs to each brand by using their name within the subdomain of the URL…”).
• [T1204] User Execution – Social engineering language in emails (“No pressure at all, but I thought you might want to take a look,”) to encourage interaction and clicking links.
• [T1078] Valid Accounts (Credential Access) – Collection of valid login credentials via fake login portals for Facebook, X, Google, and email to enable account access (“…either choose to login with their Facebook credentials or with their email address…then leads back to the fake Facebook login”).
• [T1530] Data from Information Repositories – Collection of resumes and additional PII via fake application pages to gather detailed personal information (“…request for the candidate to upload their resume…allows for the threat actor to collect additional PII…”).
• [T1562] Impair Defenses (Use of trusted third-party infrastructure) – Abuse of a trusted sender domain (post.xero[.]com) to improve deliverability and bypass filters (“…spoofing various brand names while using ‘messaging-service[@]post.xero[.]com’ as the from address…exploit its email infrastructure…”).