Group-IB, a global cybersecurity leader headquartered in Singapore, has today published a new blog post detailing a novel and ongoing fake job scam campaign targeting Arabic speakers in the Middle East and Africa (MEA) region. Digital Risk Protection (DRP) experts at Group-IB’s Threat Intelligence and Research Center in Dubai, United Arab Emirates, discovered and analyzed more than 2,400 fake job pages that impersonated companies from 13 MEA countries created on social networks from January 2022 through January 2023. On these pages, scammers spoofed more than 40 of the MEA region’s largest enterprises and published vacancies in the Arabic language offering salaries that are too good to be true; a social engineering ploy that aims to get the victims to interact with the post. The eventual goal of the threat actors is the theft of the user’s social network account credentials, and in order to achieve this aim, the scammers include links to scam pages in the publications posted on the fake social media profiles, and these scam sites linked to phishing pages on which the victim is asked to enter their login credential and password. Group-IB analysts discovered that the scammers most frequently impersonated companies from Egypt, Saudi Arabia, and Algeria throughout the course of this scam campaign.
In order to investigate this scam campaign, Group-IB analysts used the company’s proprietary Digital Risk Protection platform, leveraging its AI technology and highly accurate logo analysis and text recognition features. Group-IB has a zero-tolerance policy to cybercrime, and any of the pages discovered in this scam campaign that impersonated Group-IB’s clients were blocked by Group-IB. Privacy policy on many leading social networks, which limits public access to information pertaining to the creators of individual profiles, and the scammers’ decision to create the scam and phishing pages on cheap or free all-in-one link solutions, made it impossible to determine whether all 2,400-plus scam pages were created by a single group. Furthermore, this scam exclusively targets individuals, many of whom will be unaware that their credentials have been compromised, limiting Group-IB’s victim visibility. Despite this, Group-IB’s Digital Risk Protection researchers will continue to monitor this scam, and work to ensure the takedown of any pages that appropriate the name and likeness of affected companies.
Flex those pincers
This particular scam campaign was notable due to both the amount of fake pages created and the large number of countries targeted. In total, Group-IB Digital Risk Protection discovered more than 2,400 pages impersonating more than 40 prominent brands in the MEA region. The scam campaign exclusively targets Arabic-speaking internet users, as all adverts are posted in the Arabic language. Companies in Egypt were the most frequently impersonated by the scammers, as 48% of all the fake profiles created on Facebook spoofed companies from this country. Organizations from Saudi Arabia (23% of all scam pages), Algeria (16%), Tunisia (7%), and Morocco (4%) were also frequently mimicked. In terms of timeframe, this particular scam campaign was first observed in January 2022, and peaked in activity this past August, when 609 new scam pages were created. New scam pages are still being made on a daily basis, and in January 2023, 108 Facebook profiles posting fake job vacancies from MEA companies were discovered, a total that is higher than the monthly values for November and December 2022.
Figure 1: Headline data and timeline of MEA job scam January 2022 – January 2023.
Group-IB researchers analyzed the fake job vacancies and found that many of the posts claimed to be offering salaries for low- and middle-skilled posts that are too good to be true as a means of attracting victims. One page spoofing a reputed petroleum company in Algeria claimed to be offering monthly salaries of 4,500 euros (USD $4,800) for drivers and painters. On other pages, more realistic salaries were advertized, as a profile imitating a Saudi dairy company mentioned that workers could expect to receive upwards of 3,500 Saudi riyals (roughly $930).
The scammers who launched this particular campaign set their sights on multiple verticals, although the logistics industry was the most commonly targeted, as 64% of the profiles discovered by Group-IB impersonated companies from this sector. Group-IB has previously noted that scammers targeting MEA users are particularly fond of mimicking logistics enterprises due to its high potential ROI. The food and beverage (20% of scam pages) and petroleum (12%) industries were also heavily impersonated by the scammers. One particular company was impersonated on more than 1,000 fake pages. Other major targets in this campaign were a dairy firm in Saudi Arabia and an Algerian logistics company, whose brands were utilized on more than 300 and 200 pages, respectively, and some of the pages identified in this scam campaign claimed to be offering individuals jobs at the 2022 FIFA World Cup in Qatar. Group-IB Digital Risk Protection researchers, who participated in international law enforcement efforts to secure the digital space around this tournament, published their findings into fake merchandise, fake ticketing, fake survey, and fake job scams, which included the discovery of more than 16,000 scam domains, late last year.
Convincing fakes trick users
The success of any scam campaign rests on the threat actors’ ability to convincingly impersonate a company. In this scam scheme, the vast majority of the fake Facebook pages featured the official name and likeness of the affected brand. Most of the profiles also include the word “وظائف” (vacancies) in their title.
Figure 2: Example of a page on Facebook impersonating a well-known MEA company
The posts published on pages such as these feature eye-catching text, which typically states that the company in question is urgently hiring for a range of roles. Scammers frequently try to create a false sense of urgency to prompt victims to take action without assessing whether the opportunity they are interacting with is genuine or not. In this case, taking action means clicking on the link to the scam page contained in the post on Facebook.
Figure 3: Example of a web page advertising a fake job vacancy
These scam pages are often very basic and only contain an “apply” button. Crucially, they often contain the branding of the company in question, along with a description of the jobs that they claim to be advertising. Once the victim clicks on the “apply” button, they are almost always redirected to a phishing page that spoofs a major social network, such as Facebook.
Figure 4: Example of a phishing page created to harvest victim’s Facebook credentials
Should the user enter their email/phone number and password, the scammers now have all they need to gain access to the victim’s social network account. In rare cases, the initial scam web pages are used to redirect users to other scam pages.
“This particular scam case is significant as it targets individual internet users in the Middle East and North Africa on Facebook, a highly popular social network in the region. Group-IB’s Digital Risk Protection researchers have identified scams with similar tactics, techniques, and procedures in the past, and we will continue to leverage this experience, along with the full power of Group-IB’s technologies to detect and take down scam resources to ensure the digital security of companies and internet users. With this research, we hope to raise awareness in the MEA region of the tricks that scammers are willing to pull, such as targeting job seekers, to steal their credentials and potentially cause them financial loss.”
Head of Group-IB’s Digital Risk Protection Analytics Team, MEA
Credential theft scams expose victims to significant risk if they use the same combination of username/email and password for accounts on other platforms; particularly those pertaining to personal finances, such as cryptocurrency wallets and investment portfolios. Additionally, Group-IB experts have seen cases whereby scammers utilized compromised accounts to share scam and phishing links to other users, and the threat actors can also demand money from the victim for the account’s retrieval. Companies and brands that have their likeness appropriated by scammers risk suffering reputational loss.
Group-IB urges internet users to be vigilant and always double check the URL when following links that allegedly lead to the website of a company, particularly if those links were accessed on social media or sent via messengers. Additionally, users should enable two-factor authentication (2FA) for their online accounts to provide an extra layer of security that can prevent scams such as this, and they should also ensure that they do not use the same password for multiple accounts. It is recommended that businesses leverage DRP solutions to monitor for signs of brand abuse on the internet and promptly detect and block any threats that could lead to scams.
