Fake job offers. When a job opportunity turns into a nightmare

Criminal groups design fake job offers to infect professionals’ devices with malware and gain access to valuable information

A worker receives an email that catches his attention. A company he knows offers him the opportunity to participate in a selection process to fill a vacant position. The offer matches his skills and experience and is attractive to him. So, you click on a link to access a page where you can apply. However, the whole thing is a fake and interacting with that page causes malware to download and run.

Fake job offers are a more sophisticated and complex variant of phishing attacks that specifically target professionals in strategic companies. What are the objectives of the criminals? Spying on organizations, stealing access credentials to corporate software, accessing critical information, extorting victims, impersonating them and carrying out banking fraud…

For this reason, it is vitally important that professionals act with caution when they receive job offers, even if the level of veracity is high, because what may seem like an opportunity to grow professionally, can end up generating serious problems for them and the organizations they are part of.

Below, we will explain the keys to fake job offers through infamous campaigns such as Operation Dream Job, launched by the criminal group Lazarus to spy on companies in vital sectors such as defense, aerospace and technology.

1. What do fake job offers consist of?

The operation of fake job offers is similar to that of any social engineering attack, but their preparation and execution are more ambitious and require more time, effort, knowledge and resources:

• Criminals select their victims and research both the workers they are going to impact and the organizations they belong to. To do so, they conduct intelligence work to gather valuable information through social networks, corporate websites, etc.
• Malicious actors impersonate prestigious organizations that can seduce workers and tempt them to participate in a selective process.
• They send emails to victims or write to them through social networks such as LinkedIn.
• The attackers create personalized messages, including information about the victim and their organization, to build trust with victims.
• Cybercriminals lead victims to access fake pages where they are asked to provide personal information, execute a file or download and open malicious documents.
• They develop or acquire malicious programs such as Trojan backdoors, spyware, infostealers or ransomware to infect victims’ devices, go undetected for as long as possible, evade security mechanisms, persist and accomplish their criminal objectives.

As with whaling or CEO fraud, fake job offers are a more ambitious phishing attack typology that the targeted workers find more difficult to detect. In addition, criminals benefit from employees acting with the utmost discretion because it is a supposed offer to change jobs and lower their defenses. Who is not flattered to receive an offer from a company they hold in high esteem?

2. Fake job offers targeting professionals in critical industries

As mentioned above, the infamous Lazarus group, sponsored by the North Korean government, launched Operation Dream Job at the beginning of this decade to launch attacks targeting high-level professionals from Western companies operating in critical sectors. Thus, in recent years, attacks have been reported against large multinationals in the defense, aeronautics and technology sectors.

However, Operation Dream Job is not Lazarus’s only fake job offer campaign. A few months ago, it was discovered that the group used this technique to infect professionals’ devices with a remote access Trojan known as Kaolin RAT. To do this, they have developed a highly complex operation and a set of technically advanced tools to circumvent the security mechanisms of companies and persist in their systems.

In this case, their victims have been professionals from Asian companies, and the criminals have been able to upload, alter and download files, create and terminate processes, execute commands or connect to an arbitrary host.

However, Lazarus has chosen to target its victims through fake job offers. Other advanced persistent threat (APT) groups with a wealth of resources and expertise have resorted to this strategy.

For example, UNC1549, sponsored by Iran and connected to the Islamic Revolutionary Guard, has used fake job postings to target high-level professionals at companies such as Boing and spy on defense-related companies in Iran’s enemy states in the Middle East such as Israel, the United Arab Emirates and Turkey.

3. Software developers are also a priority target

In addition to professionals working in critical companies, another group criminals target is software developers. Why?

• They are one of the world’s most in-demand and mobile groups today. The best developers are used to receiving job offers and are therefore not suspicious of fake job offers if they are well prepared.
• Software developers have access to business-critical platforms and software on their computers.

As recently as 2024, it became public that another North Korean criminal group had used fake job offers and an NPM package to install malicious scripts to gain access to login credentials stored in the browsers of their victims’ devices.

How do these attacks against software developers work?

1. Fake job offers are sent to the victims.
2. An interview is scheduled to dispel any mistrust.
3. During the interview, the candidate is asked to take a test to prove he has the necessary skills and knowledge. This generates an extra burden of stress on the victim, who is faced with the situation that, if he refuses to take the test, he will be expelled from the selection process.
4. The candidate is asked to download software from GitHub or other trusted sources to take the test. However, the software contains a Python remote access Trojan (RAT), which allows malicious actors to compromise the device from which it is running and control it remotely.
5. Criminals can access credentials stored in browsers and files, record the victim’s typing, and execute commands.

4. Stealing cryptocurrencies, another criminal objective

Beyond accessing developers’ credentials, another goal of malicious actors who use fake job offers to trick these professionals is to steal cryptocurrencies from the wallets that they may have.

Lazarus has taken the theft of cryptocurrencies through fake job offers one step further by directly attacking a worker at CoinsPaid, one of the world’s largest crypto-payment providers, following the operation we have just described: initial contact, fake interview and download of malicious software with the excuse of performing a technical test.

What was the result of the operation? The company lost 37 million dollars in cryptocurrencies.

Beyond attacks as ambitious and precise as the one suffered by CoinsPaid, the truth is that scams that use the technique of fake job offer to steal cryptocurrencies are on the rise. The FBI has warned about the launch of campaigns offering micro-jobs that can be done from home but whose aim is to use malware to drain victims’ crypto-wallets.

5. The era of deepfakes is knocking at the door

As we have pointed out throughout this article, fake job offers stand out in the current threat landscape due to their high level of credibility.

Generative AI systems are set to make detecting this kind of attack even more difficult. This is not only because they facilitate the creation of messages, fake web pages, and even code but also because they open the door to image and sound deepfakes.

Victims may think they are talking to a company’s human resources manager, but a malicious actor is on the other end.

As with CEO fraud, the possibility of deepfakes makes it even more difficult for the targeted professionals to detect the scams.

6. Fake applications to deceive recruiters

So far, when discussing fake job offers, we have focused on professionals who can apply for a job, but what about company recruiters? Can they also be victims of this kind of attack?

In recent months, campaigns have been detected in which malicious actors impersonate job applicants and contact the people in charge of companies’ recruitment procedures via email.

For example, the criminal group TA4557 sent emails to recruiters to nominate false candidates for positions the companies had open. The operation is similar to the one described above. The email contained a link directing to a fake page so that the recruiter could look at the applicant’s portfolio. The professional was made to download and execute malware inside the fake page without being aware of it.

In other words, although fake job offers are mainly aimed at professionals of a certain level in companies, company recruiters should also be cautious when handling the applications that reach their emails.

7. Awareness, prevention and response: How to deal with fake job offers

How can companies prevent employees from falling victim to fake job offers and attackers from infecting their systems and causing serious security incidents? This is a complex issue to solve because workers do not inform their organizations about the offers they receive, and it is difficult to have a strategy to deal with this kind of attack. However, the repercussions can be very serious, especially if we take into account that:

• Some of these fake job offers arrive in corporate emails.
• Professionals can manage them not only from 100% personal devices but also from computers they use for work, on which they have stored access credentials to business software and files of a professional nature.

Fortunately, companies have various cybersecurity services that help them build resilience against this social engineering attack.

7.1. Social engineering test

Social engineering tests are used to test how resistant an organization is to phishing campaigns and to train and raise awareness among professionals so that they implement a series of good practices in their day-to-day work.

In this regard, simulations of targeted social engineering attacks that follow the same modus operandi that malicious actors follow today are encouraged. This involves a preliminary study of the most attractive profiles to contact and, based on this analysis of their position, interests or motivations, designing ad hoc phishing campaigns for each.

It requires artisan, dedicated and slow work because we are talking about interactions, and teams like Tarlogic’s have much experience performing them.

7.2. Cloud audit and Cloud security strategy for Enterprises

As we indicated before, one of the primary objectives of malicious actors is to obtain credentials to access corporate software since critical company information is stored in these programs. Therefore, it is vital to audit the cloud infrastructure and have a comprehensive cloud security strategy.

7.3. Vulnerability management

Vulnerability management plays a transcendental role since it is critical to be able to:

• Detect any vulnerability in a company’s technological infrastructure.
• This will prevent criminals from exploiting it and make it easier for them to evade detection mechanisms, perform lateral movements, and persist in corporate systems.

7.4. Red Team Services

Design specific scenarios where TTPs are implemented for malicious actors using fake job offers to execute various malware. Red Team scenarios are used to test organizations’ defensive mechanisms and to train professionals in charge of their protection.

7.5. Incident response services

Suppose a criminal group is successful and manages to deploy malware on a device or corporate system. In that case, it is critical that organizations respond in the shortest possible time, contain the threat, expel the malicious actor, minimize the impact, and restore normality. To this end, hiring proactive incident response services is advisable to get to work from the first minute.

In short, attacks using fake job offers to trick victims into running malware on their computers are the order of the day. Today, most recruitment processes are conducted through digital means, and malicious actors want to exploit this route through the devices of high-level professionals and the companies they work for.