Facebook Account Takeover
29 January 2025
By Samantha Clarke, Hiwot Mendahun, Ankit Gupta and the Mimecast Threat Research team
What you'll learn in this notification
- Predominately targeting Retail, Media/Publishing businesses in the US and UK
- Campaigns are distributed via Recruitee, a legitimate recruitment CMS
- The primary intent is for credential harvesting
Campaign Flow
Mimecast Threat Researchers have recently been monitoring a phishing campaign leveraging Recruitee, a legitimate third-party recruitment Client Management System (CMS). Threat actors abuse the platform to send fraudulent job offer emails, deceiving end users and potentially bypassing detection mechanisms by leveraging a trusted service. In addition, they register lookalike domains and embed them in Recruitee-generated emails, impersonating well-known brands, thereby increasing the credibility of their phishing scams.
The lure in this campaign revolves around a fraudulent job opportunity for a Social Media Manager, enticing victims to click a link to apply. Upon deeper investigation, the domains utilized in the campaigns were registered recently, utilising services like Porkbun and Hostinger, which are favoured by threat actors for their low cost, ease of use, and quick setup.
Once the user clicks on the link, randomly CAPTCHAS and IP filtering are used to deter automated detection, before they are redirected to a login page.
They are presented with a well-structured phishing page with branding and logos to add credibility. The primary aim for these campaigns is to harvest Facebook credentials and the user is instructed to create an account via Facebook or enter their email address/phone number. Both routes lead the user to inputting Facebook credentials.
Following the input of credential the user is then asked for any second factor authentication in order for the threat actor to take over the Facebook account. All the details inputted into these pages are automatically fed into Telegram loggers to ensure timely takeover of accounts.
The campaign activity shows significant spike in September and picked up again end of November.
Tactics Techniques and Procedure’s:
T1566.002 - Phishing: Spear Phishing Link
T1598.002 - Phishing for Information
T1204.001 - User Execution: Malicious Link
T1596.002 - Search Open Websites/Domains for Victim-Owned Resources (e.g., creating lookalike domains)
T1189 - Drive-by Compromise (phishing sites with CAPTCHA/IP filtering)
T1070.004 - Indicator Removal on Host: Automated Exfiltration via Telegram Bots
Mimecast Protection
Targeting:
US and UK, Predominantly Retail, Media/Publishing
IOCs:
Subjects:
Ready to Take Your Talent to New Heights with Red Bull?
Unlock Your Potential: Exclusive Job Opportunity with Coca Cola
URL’s:
redbull-socialmedia[.]com
redbulldigitalcareers[.]com
redbull-jobscareers[.]com
redbullcareers-jobs[.]com
digitalredbull-team[.]com
redbullsociamedia-careers[.]com
redbulldigital-socialmedia[.]com
redbullcareers-digital[.]com
redbullcareers-team[.]com
digitalredbull-social[.]com
cocacolacompany-application-dev-ed.develop.my.salesforce-sites[.]com
cocacolateam-application-id23151232.netlify[.]app
jobs-coca-cola[.]com
victoriasecretdigital[.]com/application-work/id-23452345
applicationworksocialmedia[.]com
application-career[.]com
Telegram Loggers:
bot8042878074:AAHHoa9x7R5w1RiWVXxxRW49YkP-NYHuoWw
bot7610902362:AAEeD7oxYZcbiI6UuCf3Y4s42pxYWVJRoaU
Recommendations
- Ensure you have URL Protect policy is set to protect the organization.
- Search through your URL Protect logs to determine if any of the abused services have been accessed by your users.
- Search through your email receipt logs to determine if any of emails matching the subjects have been delivered to your users.
- Educate end users around the continued trend of legitimate tools being used in malicious campaigns.