Red Bull-Themed Phishing Attacks Target Job Seekers’ Credentials

A sophisticated phishing campaign has emerged, targeting individuals seeking employment by impersonating Red Bull’s recruitment process. These deceptive emails, appearing as personalized job offers for a Social Media Manager position, are designed to steal login credentials from unsuspecting victims.

The Deceptive Approach

The phishing emails originate from the address [email protected], a domain that successfully passes standard email authentication protocols such as SPF, DKIM, and DMARC. This compliance allows the emails to bypass traditional security filters, making them appear legitimate to recipients.

The emails exploit the widespread interest in remote work opportunities, a trend that has gained momentum during the pandemic. By leveraging Red Bull’s strong brand recognition, the attackers increase the likelihood of recipients engaging with the content.

The Phishing Process

Upon clicking the link within the email, recipients are first directed to a reCAPTCHA page. This step serves to deter automated security analyses and adds an element of legitimacy to the process. After completing the reCAPTCHA, users are taken to a counterfeit job listing page that closely resembles legitimate job platforms like Glassdoor.

The fraudulent domain, redbull-social-media-manager.apply-to-get-hired.com, was registered only weeks prior to the campaign’s launch. It is hosted on a Virtual Private Server (VPS) within AS-63023, a network known for hosting short-lived malicious infrastructures.

Following the fake job description, victims are redirected to a bogus Facebook login page. Here, any credentials entered are captured and sent to the attackers’ server at 38.114.120.167 via a POST request to the /login_job endpoint. Notably, this server often returns a 504 Gateway Timeout error, a tactic likely employed to frustrate automated security tools and obscure successful data exfiltration.

Evidence of a Larger Campaign

Research by Evalian has identified a consistent TLS JARM fingerprint across multiple domains involved in this campaign, including those spoofing entities like MrBeast and Meta. This pattern suggests the use of a phishing kit available for rent, indicating a broader, coordinated effort rather than isolated incidents.

Advanced Evasion Techniques

The attackers employ several sophisticated methods to evade detection:

– Utilization of Reputable Services: By leveraging Mailgun’s high-reputation IP addresses, the phishing emails inherit the trust associated with legitimate services, increasing the likelihood of bypassing security filters.

– Dynamic SSL Certificates: The attackers automate the issuance of SSL certificates through Let’s Encrypt for each domain, ensuring that every phishing site presents a valid certificate. This practice eliminates common red flags associated with self-signed certificates.

– reCAPTCHA Implementation: The inclusion of a reCAPTCHA step not only adds a layer of perceived legitimacy but also serves to delay automated security analyses, allowing the phishing sites to remain active longer.

Detection and Mitigation Strategies

To effectively identify and mitigate such phishing attempts, organizations can implement detection rules that consider multiple indicators:

– Sender Domain Analysis: Monitor for emails where the sender domain is post.xero.com, a legitimate service exploited in this campaign.

– Anomalous Reply-To Addresses: Flag emails with reply-to addresses matching patterns like .user0212-stripe.com, indicative of phishing attempts.

– Suspicious URL Domains: Be cautious of URLs ending with apply-to-get-hired.com, associated with the fraudulent job application sites.

– TLS JARM Fingerprinting: Utilize TLS JARM signatures to detect known malicious infrastructures.

By combining these indicators, security teams can create high-fidelity alerts that minimize false positives and effectively identify phishing attempts.

Recommendations for Job Seekers and Organizations

While job seekers are the primary targets of this campaign, organizations must also take proactive measures:

– Block Identified Indicators of Compromise (IOCs): Implement network rules to block traffic associated with known malicious domains and IP addresses.

– Monitor Outbound Traffic: Keep an eye on outbound connections to suspicious IP addresses, such as 38.114.120.167, to detect potential data exfiltration.

– User Education: Educate employees and job seekers about the risks of phishing attacks, emphasizing that even emails passing standard authentication checks can be deceptive.

By staying vigilant and implementing comprehensive security measures, both individuals and organizations can better protect themselves against sophisticated phishing campaigns like this one.