Venomous vacancies: Job seekers across MEA hit by sting in scammers’ tail

The job hunt can be an extremely trying experience at the best of times. Browsing vacancies, as well as studying the terms, salary, and benefits of any opportunity takes an immense amount of time and effort. Nevertheless, a potential employee is lucky enough if their job search leaves them only feeling fatigued, rather than ending with them having their private information stolen. Group-IB Digital Risk Protection (DRP) analysts based at the company’s Threat Intelligence & Research Center in Dubai, United Arab Emirates, are constantly monitoring social media sites for scam pages that appropriate the branding of companies across the Middle East and Africa (MEA). Fake job vacancies are one type of scam that is growing in visibility in the MEA region, and Group-IB experts discovered more than 2,400 scam pages from January 2022 through January 2023 in a still-ongoing campaign targeting Arabic-speaking job seekers in 13 countries. Companies based in Egypt, the Kingdom of Saudi Arabia (KSA), and Algeria were the most frequently impersonated by scammers.

Our decision to publish this research rests on its timeliness and relevance. The scam campaign remains active and Arabic-language scam vacancies continue to be posted on social networking sites. The majority of the fake social media pages are still online, and new ones are being created every day. Combatting scams of this type is vital, as companies whose brands are appropriated by scammers can experience reputational loss, as victims in the future may associate their negative experiences at the hands of the scammers with the targeted brands. Therefore, this blog is written for both individual users and companies. Security teams of targeted enterprises, including CISOs, heads of cybersecurity teams, SOC analysts and incident response specialists, will find this blog particularly insightful, as it underlines the dangers of scammers illegally appropriating their organization’s brand name and likeness for malicious purposes.

Key findings

• Group-IB’s Digital Risk Protection uncovered more than 2,400 scam pages on Facebook advertising fake jobs for Arabic speakers
• This scam scheme targets more than 40 well-known brands from 13 countries in the MEA region
• 64% of scam pages discovered in this campaign impersonated companies in the logistics sector. Other highly targeted industries included the food and beverage sector (20% of scam pages) and the petroleum industry (12%)
• Approximately 48% of the scam pages discovered by Group-IB Digital Risk Protection impersonated companies from Egypt. Other markets heavily targeted in this scheme were Saudi Arabia (23% of scam pages), Algeria (17%), Tunisia (7%), and Morocco (4%)
• The scammers’ core aim is credential theft
• After interacting with a fake job vacancy, victims are redirected to scam web pages, which contain almost the same description about the fake vacancy. Should they click on the “apply” button contained on these scam web pages, victims are redirected to phishing websites that the scammers create to harvest the credentials of victims’ social network accounts
• The scam campaign has been active since January 2022 and is still in operation to date
• The campaign peaked in activity in August 2022, when more than 600 new fake job pages were created
• This scam campaign could result in companies suffering severe reputational damage. Individuals who fall victim to this scam risk having their privacy violated and their social media accounts locked. Additionally, victims can suffer financial losses.

This most recent scam scheme is another in a long list of campaigns targeting users in the Middle East and Africa that has been tracked by Group-IB’s Dubai-based DRP researchers. Over the past year, Group-IB analysts have published their findings into multiple schemes that have seen scammers impersonate some of the MEA region’s largest logistics companies and manpower agencies, and also appropriate the branding of the FIFA World Cup 2022 in Qatar for nefarious purposes. As with many other scams, the campaign that we will discuss in this blog post rests on multiple layers of social engineering. The discovered pages publish posts advertising fake job vacancies with links to scam websites. If the individual clicks on the link to the scam site, they are presented with a page that invites them to click on an “apply” button. Should they do this, they are then redirected to a phishing site that has been created by the scammers to steal the login and password of unwitting users’ social network accounts.

Once they have gained entry and changed the password along with the email address and phone number attached to the account, the scammers can demand money from the victim for the account’s retrieval. Credential theft creates severe risks for internet users, as many people still use the same login and password combination for multiple accounts. This can be extremely damaging if they use these credentials for financial services, such as cryptocurrency wallets, investment portfolios, and banking applications. Additionally, Group-IB researchers have seen cases whereby scammers used compromised accounts to share phishing links in direct messages to other potential victims. In most cases, this is done to gain access to other users’ accounts, although there are cases in which the scammers can harvest the bank card details of victims, should the phishing link contain a card number entry form.

In order to investigate this scam campaign, Group-IB analysts used the company’s proprietary Digital Risk Protection platform, a sector-leading multipurpose solution designed to detect brand violations and scams on the internet. During their research, Group-IB experts leveraged the AI technology implemented in this solution, and all findings were detected thanks to Digital Risk Protection’s highly accurate logo analysis and text recognition features. The machine-learning algorithms contained in Digital Risk Protection automatically detected and extracted keywords relevant to this scam campaign, which were then used to assess other brand violations as well. Any pages that appropriated the branding of our clients were blocked by Group-IB.

Given that the scam is run on social networks, where privacy policy dictates that information about the creators of a specific page is not publicly available, along with the fact that the scammers built web pages on cheap or free all-in-one link solutions, it was not possible to determine whether all 2,400-plus scam pages were created by a single group. Additionally, it is difficult to determine the exact number of people affected and their potential financial losses, as scams of this type exclusively target individuals and many victims may not even be aware that their credentials have been stolen.

One look could kill

This scam scheme targets more than 40 well-known brands in the MEA region, and the scammers set their sights on companies across multiple verticals. The most targeted industry was the logistics sector, as 64% of scam pages discovered in this campaign impersonated companies of this type. This was followed by the food and beverage sector (20% of scam pages) and the petroleum industry (12%). One particular company was impersonated on more than 1,000 fake pages. Other prominent targets in this campaign were a dairy firm in Saudi Arabia and an Algerian logistics company, whose brands were utilized on more than 300 and 200 pages, respectively.

Additionally, some of the pages created in this campaign claimed to be offering individuals the opportunity to work in Qatar during the 2022 FIFA World Cup. This event, considered to be one of the largest sporting tournaments in the world, triggered a wave of scam activity as cybercriminals sought to cash in on the interest around the championship. This past November, Group-IB Digital Risk Protection researchers dicovered more than 16,000 scam domains and dozens of fake social media accounts, advertisements, and mobile applications created by cybercriminals offering counterfeit tickets and merchandise, fake prizes for completing surveys, as well as portals purporting to be advertising jobs at the tournament.

Figure 1: Headline data and timeline of MEA job scam January 2022 – January 2023.

This scam campaign exclusively targets Arabic-speaking users in the Middle East and North Africa. Approximately 48% of the scam pages discovered by Group-IB Digital Risk Protection were found to be impersonating companies from Egypt. The scam campaign also heavily targets companies in Saudi Arabia (23% of all scam pages), Algeria (16%), Tunisia (7%), and Morocco (4%).

In terms of timeframe, this scam scheme was first observed in January 2022, and Group-IB researchers noted a steady increase in the number of newly created pages throughout the spring and summer of last year. The peak in scam activity was recorded in August 2022, when 609 new scam pages, the majority of which were impersonating a company in Egypt, were found. At the time of writing, the campaign is still ongoing and new scam pages are being made on a daily basis. In January 2023, 108 new scam pages were discovered, a total that is higher than the monthly values for November and December 2022, potentially signaling the start of another major scam wave.

How the scammers catch their prey

The pages created by the scammers look very similar to those managed by the companies they are impersonating. The vast majority of pages feature the official trademark of the company in question, a very common tactic utilized by scammers to attract and fool potential victims. Additionally, the bulk of the fake social media pages contain the company name, and some of them include the word “وظائف” (vacancies) in the title of the page.

Figure 2: Example of a page on Facebook impersonating a well-known MEA company

However, the real danger lies in the posts published by these fake social media profiles. They often feature attention-grabbing text that includes the name of the impersonated company. The copy of a typical post states that a large Middle Eastern company has announced it is urgently hiring for a range of low- and middle-skilled roles, and salaries are often included in the post. Based on a review of the fake job vacancies conducted by Group-IB researchers, it is clear that some of the adverts feature salaries that are too good to be true as a means of attracting victims. For example, Group-IB analysts found a post on a page spoofing a reputed petroleum company in Algeria claiming to be offering monthly salaries of 4,500 euros (USD $4,800) for drivers and painters. In other adverts, more realistic salary listings are provided, as a page imitating a Saudi dairy company mentioned that salaries for workers started from 3,500 Saudi riyals (roughly $930).

By creating a false sense of urgency — one of the oldest tricks in the scammer’s playbook — and by offering wages that are either reasonable or too good to be true, the scammers are able to attract visitors to register their interest in vacancies by clicking on a link that contains the company’s branding. It is worth mentioning that all the sites are contained on the fake social media pages are one-page landings with links. Another indicative sign that these pages are part of a scam campaign is that they were all created using cheap or free all-in-one link solutions.

Figure 3: Example of a web page advertising a fake job vacancy

Should the victim click on the “apply” button on one of the scam web pages, they will, in most cases, be directed to a phishing page that impersonates a well-known social network, such as Facebook. This phishing page asks users to fill in their username or email and password for the social network in question. Should the user fill in this information, the scammers now have all they need to gain access to the victim’s social network account. In rare cases, the initial scam web pages are used to redirect users to other scam pages.

Figure 4: Example of a phishing page created to harvest victim’s Facebook credentials

The scam antidote

This particular scam case is significant as it targets individual internet users in the Middle East and North Africa. Given Facebook’s popularity in the region (the Egyptian Cabinet’s Information and Decision Support Center said in a 2022 report that 44.7 million Egyptians were registered on Facebook), it is easy to imagine how many people could come across these posts and fall victim to the scammers. This is not the first time that Group-IB DRP researchers have encountered a scam that uses similar tactics, techniques, and procedures, and this experience assisted in the quick detection and take down of scam pages using Digital Risk Protection’s proprietary tools. The current scam campaign is still active, and new pages are being created on a daily basis, which could result in reputational losses for the affected companies.

Our research once again demonstrates that successful social engineering can lead to significant risks, disruption, and damage, both for individuals and companies. Furthermore, it shows how simple it can be for scammers to get access to users’ social media accounts, which can then be used in future attacks. It is crucial that internet users verify the legitimacy of any pages or profiles sharing job vacancies on social networks. On the other hand, companies must ensure that they take all necessary actions to safeguard their brand and act quickly to take down any pages or resources that appropriate their name or likeness.

Recommendations for users

1. Be cautious while following links that allegedly lead to the website of a specific company, a celebrity or a state agency. We urge users to interact with links only from official resources, such as verified accounts on social media or messengers.
2. Ensure that you enter confidential data and bank card details only on trusted websites, and be sure to double-check the URL of the site you are entering your sensitive data on.
3. While visiting links relating to offers by companies shared in messaging apps or on social media, check the domain names. Scammers usually use domain names that look similar to existing brand names as part of their efforts to trick users into entering sensitive data.
4. Enable two-factor authentication (2FA) whenever possible, giving themselves an extra layer of security against scams such as this.
5. Use different passwords for different services, so that even in the event of one of their accounts becoming compromised, it will mean that other accounts aren’t at risk.

Recommendations for companies

1. Monitor for signs of brand abuse across the internet, including on social media, which is often used by scammers to advertise their phishing pages.
2. Implement best practices with regards to corporate social responsibility and post warnings or guides on how to identify scams on your social media channels or websites once you are aware that your brand is being impersonated by scammers. It is vital that companies educate and warn visitors to their pages of potential scams.
3. To prevent the illegal use of your intellectual property assets, use Digital Risk Protection solutions that help promptly detect threats to a specific brand in the digital space and then send them for blocking
4. Leverage DRP solutions that can identify key players in scams and monitor their activity for traces of preparation, indicating that a new attack is being developed. These solutions can also issue proactive takedowns to stop new scams before they begin

As a world leader in scam prevention, Group-IB has extensive experience protecting organizations’ brands. Our Digital Risk Protection solution is best-in-breed, combining AI-powered technologies with highly trained analysts to detect and respond to scams. Independent consulting firm Frost & Sullivan granted Group-IB’s Digital Risk Protection its Innovation Excellence Award.

Group-IB’s three-phase takedown process ensures the swift removal of any scam you may encounter. To learn more contact one of our experts.