New Cyber Scam Preys On Vulnerable Job Seekers

As tech industry layoffs continue mounting, a new wave of cyber scams are targeting job seekers, exploiting their trust and vulnerability.

That’s according to new research by Zimperium’s zLabs. Cybercriminals are targeting individuals looking for new opportunities, sending fraudulent emails disguised as job offers from HR teams at well-known companies.

Ingram Micro, AMD, Avaya and Oracle are among the latest tech industry layoffs. Scammers are taking advantage of heightened unemployment and economic uncertainty, preying on people who are already navigating a stressful process.

Tricking Job Seekers 

A mobile-targeted phishing (mishing) campaign is delivering malware to the user’s Android mobile device, enabling a broad set of malicious actions, including credential theft of banking, cryptocurrency and other critical applications, according to zLabs. Job seekers are lured into clicking on a link that takes them to a seemingly legitimate job application page. However, instead of landing a new job, they unknowingly download a malicious dropper application. This dropper delivers the AppLite banking trojan, a malware designed to infiltrate their mobile devices, steal sensitive financial information and compromise personal data.

Beyond its ability to mimic enterprise companies, AppLite also masquerades as Chrome and TikTok applications, demonstrating its wide-ranging target vectors, including full device takeover and application access, according to zLabs. The attackers could also access corporate credentials, applications and data if the device was used by the user for remote work/access for their existing employer. 

Related:2024 MSP 501: The Very Best in Managed Cybersecurity

Kern Smith, Zimperium’s Americas vice president, said this malware campaign combines multiple techniques to compromise mobile data.

Zimperium's Kern Smith

“What we are seeing is a sophisticated combination of broad and targeted phishing campaigns leveraging social engineering to infect mobile devices with malware,” he said. “Previous campaigns may have been limited in scope and in the combination of techniques leveraged, but what we see here is an evolution in sophistication, scope and techniques used to target mobile devices, users and apps.”

Many Potential Consequences

There are many potential consequences to job seekers who fall for this scam, Smith said. Ultimately, any accounts utilized on the victim’s mobile phone, as well as any data, are at risk.

“Given the scope of this campaign, one has to assume some level of return or success by the attackers,” he said. “How much is impossible to know as these types of campaigns exist in an economy of grabbing as much mobile data as possible, and then selling it to be used further down the line for account or data breaches.”

Related:SonicWall, CrowdStrike Unleash New MDR Offering

All job seekers should be vigilant on ways to prevent malware and a successful phishing attack, Smith said.

“First, be very cautious of any inbound unsolicited communications, such as email, SMS, WhatsApp, etc., that either look too good to be true or try to get you to click on a link, input credentials or install something on your device,” he said. “If there is any question around legitimacy of the site, go to a trusted source for a trusted link or app, and not an inbound communication. Secondly, be very careful of installing anything on your mobile devices that is not coming from a trusted source or has not been vetted. Third, be very careful on what permissions you grant mobile applications because while they are very useful, they can be abused, such as accessibility services.”

Sophisticated Evolution of Techniques

Stephen Kowski, field CTO at SlashNext, said this latest "mishing" campaign represents a sophisticated evolution of techniques first seen in Operation Dream Job, now adapted for the mobile era.

SlashNext's Stephen Kowski

“While the original Operation Dream Job used LinkedIn messages and malicious attachments to target job seekers in the defense and aerospace sectors, today’s attacks have expanded to exploit mobile vulnerabilities through fraudulent job application pages and banking trojans,” he said. “The dramatic shift to mobile-first attacks is evidenced by the fact that 82% of phishing sites now specifically target mobile devices, with 76% using HTTPS to appear legitimate. The threat actors have refined their social engineering tactics, moving beyond simple document-based malware to deploy sophisticated mobile banking trojans that can steal credentials and compromise personal data, demonstrating how these campaigns continue to evolve and adapt to exploit new attack surfaces.”

Related:Extreme Networks Launches All-in-One Security Platform