Attackers have been impersonating recruiters from Palo Alto Networks since last August in a series of phishing campaigns targeting senior-level professionals for financial gain.
Palo Alto Networks’ Unit 42 researchers have been tracking the sophisticated social engineering campaigns, which use scraped LinkedIn data to create “highly personalized” lures, for the past seven months, according to a threat report published this week.
“The specific attack vector uses social engineering to manufacture a bureaucratic barrier regarding the candidate’s curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee,” Unit 42 senior manager Justin Moore wrote in the post.
Unit 42 has fielded “multiple reports” of the attacks, which use flattering language, highly specific details from the victims’ LinkedIn profiles, and legitimate company image logos in the email signature block.
The end result of a successful attack is that victims are asked to pay a fee in the range of $400 to $800 to freeing their résumé from a bureaucratic hold-up and continue with what they think is a legitimate recruitment process. In this way, they are not only duped into thinking they are in line for a position at Palo Alto Networks, they also are defrauded.
Recruiting Scheme Attack Chain
Attackers initiate the scam by posing as Palo Alto Networks’ representatives in emails sent to senior job candidates that appear legitimate. This establishes a rapport and builds trust with potential victims.
During this phase, the threat actors use the psychological tactic of flattery in the form of telling the candidates that they were “truly impressed” with their employment history and experience. They also point out milestones in the person’s career using data scraped from LinkedIn to appear as if they have been specifically following the victim’s trajectory as they consider them for a particular position.
Once attackers achieve engagement, they then manufacture a crisis in the form of a stumbling block to the recruitment process. They do this by falsely claiming that a candidate’s résumé failed to meet the applicant tracking system (ATS) requirements. An ATS, according to Moore, is an online tool that analyzes résumés for proper formatting, structure, and keyword optimization to make sure the résumés will pass automated checks before being approved for human recruiters.
“This psychological tactic increases the urgency and willingness of the victim to comply with the attacker’s offer of ‘executive ATS alignment,'” Moore noted.
At this point, the “recruiter” hands off the “candidate” to an expert who offers various price points to provide this alignment and get the recruitment process back on track. The fake offers have three pricing schemes: executive ATS alignment for $400; leadership positioning package for $600; and end-to-end executive rewrite for $800.
“In reported incidents, the ‘recruiter’ then implies that the ‘review panel’ has already begun, and that the candidate needs to update their CV within a set timeframe,” Moore wrote. “The ‘expert’ then communicates that they can deliver the CV within only a matter of hours, which is within the ostensible review window.”
Adding this manufactured sense of urgency could push a “candidate” into paying for one of the fake offers and thus being defrauded. Unit 42 did not share if anyone who reported the scam made payments to the attackers.
Phishing Vigilance Required
Recruitment scams like these are not uncommon, yet still they can cause not only financial damage to victims but also reputational damage to the organizations impersonated, Moore noted.
Indeed, cybercriminals have dangled what look like legitimate employment offers in phishing scams to increase the likelihood that someone will take the bait. North Korean threat actors such as Lazarus in particular are notorious for various malicious job recruitment campaigns such as “Dream Jobs” and others to gather intelligence and commit other malicious activity.
Unfortunately, these scams harm the legitimate recruitment process of organizations by weaponizing “the complexity of modern hiring by manufacturing artificial bureaucratic barriers and high-pressure review windows to solicit fees,” Moore wrote. He assured prospective candidates that Palo Alto Networks would never ask them to pay for résumé optimization services, and remains “committed to a transparent and ethical hiring process.”
Any professional who receives employment outreach that creates a sense of financial urgency or directs them to a third-party “expert” for a paid service should view it as “a fraudulent attempt to exploit your professional ambitions,” Moore advised.
If anyone finds themselves targeted by this scam, they should immediately cease communicating with the individual and report the incident to Palo Alto Networks by emailing infosec(at)paloaltonetworks(dot)com. They also should flag the incident on LinkedIn and secure all professional, social media, and email accounts with new passwords and multifactor authentication (MFA) to ensure they have not been compromised, he said.
