A sophisticated Red Bull-themed phishing campaign utilized legitimate email services and validated TLS certificates to bypass standard security measures and steal user credentials via a fake Facebook login page. The attackers employed multi-domain infrastructure, stalling techniques, and brand impersonation to evade detection and scale their fraudulent operation. #RedBullPhishing #MailgunAbuse #JARMFingerprint
Keypoints
- The phishing email impersonated Red Bull and passed SPF, DKIM, and DMARC checks by abusing Mailgun’s legitimate email service.
- The embedded phishing link directed victims to a multi-step fake job application flow culminating in a spoofed Facebook login page designed to steal credentials.
- Attackers deployed stalling techniques such as reCAPTCHA and delayed POST responses to evade automated sandbox detection.
- Phishing infrastructure used low-reputation VPS providers (GlobalTeleHost) with recently created domains and valid Let’s Encrypt TLS certificates.
- TLS JARM fingerprinting helped identify a cluster of related phishing domains using the same malicious infrastructure.
- The Reply-To header revealed the true malicious sender domain outside Red Bull’s control, highlighting the use of spoofed and obfuscated infrastructure.
- Detection queries correlating email, endpoint, and network data were developed to proactively identify and block phishing attempts across customers.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Used to deliver phishing emails containing malicious URLs designed to steal credentials (“Detects emails that trick users into clicking malicious URLs.”).
- [T1585.001] Establish Accounts: Social Media Accounts (Impersonation) – Impersonation of Facebook login and Red Bull job offers to lure victims (“Impersonates Facebook login and Red Bull job offers.”).
- [T1071.001] Application Layer Protocol: Web Protocols – Monitored malicious device communication with phishing infrastructure over HTTP/S (“Monitors device communication with malicious IPs/domains over HTTP/S.”).
Indicators of Compromise
- [Domain] Malicious phishing domains used in the campaign – charliechaplin7eont.space, *.apply-to-get-hired.com, user0212-stripe.com
- [IP Address] Hosting of phishing infrastructure – 38.114.120.167 (GlobalTeleHost VPS provider)
- [ASN] Associated autonomous system – 63023 (AS-GLOBALTELEHOST)
- [TLS Certificate Common Name] Used for phishing page – bot2shimeta.charliechaplin7eont.space
- [JARM Fingerprint] TLS artifact used for hunting related infrastructure – 27d40d40d00040d00042d43d000000d2e61cae37a985f75ecafb81b33ca523
- [Email Sender] Legitimate-looking sender used in phishing email – [email protected]
- [Reply-To Email] Malicious reply address revealing spoofing – [email protected]
Read more: https://evalian.co.uk/inside-a-red-bull-themed-recruitment-phishing-campaign/