This isn't your typical recruitment phishing message. There isn't a link or an attachment to open. It looks like a normal recruiting message. It's pretty convincing too. All the details you're about to read are real—except people's names—and this phishing campaign is still live at the time of publication.
For this story, we'll call our recipient, Tina, and our sender, Mary. These are not their real names. And we've redacted identifying details to protect their privacy.
The recruitment email
Some phishing emails are obviously fake. But others can be quite convincing. Especially in targeted spear-phishing attacks. See this example email. Can you spot the spear-phish?
Our story starts with a quite normal-looking headhunting email. There are no links, no attachments, no action to be taken by the receiver. The language used is quite good, and barely any typos or weird grammar can be found. All the brand names used to add legitimacy to the email are even spelled right. Maybe generative AI was used to write this email—it's hard to tell.
Whoever targeted Tina, did their research. She is indeed a well-rounded marketer, and the offer described so far does match her skills.
The ask is so low there can't be any harm in responding, right? Of course, Tina still did her due diligence to make sure Mary was a real person and that the Media Agency she was representing existed.
Is it legit or not?
The agency had a solid LinkedIn page, and so did Mary. Although her title was slightly different, it was in the same ballpark. If Tina had waited a few days, she would've seen the below post from the real Mary's LinkedIn account calling out the scam. But she had received her email communication 2 days before real-Mary posted. So it was really hard to tell whether the first email was real or not.
Before real-Mary posted on LinkedIn, fake-Mary had already replied to Tina. And this time, she was suggesting they schedule a meeting.
The phish-y reply
The follow-up message included a Calendly link to book a time so they could chat about the position. Fake-Mary even addressed a concern head-on—the link was from Calendly. Still Tina would have to sign in with her Meta credentials to view the calendar. [We still use the old-fashioned way for call schedules - this is an official Meta calendar shared between us and the respective brands involved. Once you schedule, you'll also have full visibility to all job prospects with detailed descriptions. Hence, the verification steps.]
This was such a red flag that Tina reached out to me asking if this looked right. And before even analyzing the email, I told her it was definitely not a normal email and suggested she stop responding to fake-Mary. I then sent the emails to our analysts to look into.
Another red flag was the domain the email was sent from. It was different than what you would expect from this company as it had [hr] at the end before the dot com. But it was also freshly registered and was trying to impersonate another domain. This made the phish a flash attack, and probably won't be running for very long. At the moment of publication, all domains are still active and live.
Book a time, but log in with... Facebook?
The legit-looking Calendly link sent Tina to a sign-in page where she was prompted to enter her Facebook credentials. Although the URL seems normal, digging into the details of the email and page, we found that it was spoofing another domain that was registered to a different Google Workspace. It even has a real reCAPTCHA to make it seem legitimate, but also to prevent intelligent email protection tools from crawling the page further.
Once you continue to the login page, you have a pop-up looking like the normal Facebook login page. But it's actually a completely fake pop-up, or a browser-in-browser attack. There are many signs this pop-up isn't from Facebook.
When you compare it to the normal Facebook login page, there are a few wording differences. [Email] vs. [Email address]. [Log In] vs. [Log in]. [Forgot account?] vs. [Forgotten password?]. [Sign up for Facebook] vs. [Create new account]. But those alone could just be because the pop-up integration has a different UI.
Now if you tried clicking on any of the links or even just hovered over them, you'd notice they weren't real links. And actually, if you looked through the page's inspect, you'd see all the links were just normal text, not hyperlinks.
The last clear red flag is that the browser doesn't actually work like a normal browser. You can't scroll, and the URL acts weird when you try to select it.
Next, we tried logging in with dummy credentials to see what would happen. The loading page took between 30 and 60 seconds before returning an invalid credentials message. We suspect someone or something on the other end was probably trying to log in to Facebook during that time. And if they were real credentials we put and we had 2FA/MFA on, we probably would've had another pop-up asking for those too. But we didn't want to go further without a throwaway account.
You're probably wondering why scammers would want access to just anyone's Facebook account and that this seems like a really long way to get it. Well, this is really targeted. And it's targeting digital marketers. Because the scammers are after ad account admins.
Why target ad account holders
You've probably seen Facebook credential harvesting phishing emails before. They usually look like they're coming directly from Facebook or Meta. As these are getting easier and easier to spot, we've seen different tactics to get access. The scam goal is the same—get access to ad accounts. But it's not so obvious to figure out the ultimate goal when the email isn't coming from Meta or Facebook and instead from an unrelated recruiter.
Although it might not be obvious why scammers would want access to ad accounts, there have been a wild amount of malicious campaigns using ad accounts. Campaigns like DUCKTAIL used spear-phishing to install malware on Facebook ad account holders' devices, steal their information, and infiltrate the organization further.
Or even VASTFLUX or Methbot that ran fraudulent programmatic ads for years before being taken down. As far as we know, this current campaign isn't connected to these past ad fraud operations, but it isn't hard to find creative ways to use access to someone else's ad accounts. Chances are, the scammers, in this case, would've run their own ads, whether real or phishing ads, on the harvested accounts, or someone else's ads and pocketed the money.
What are the signs this is a phish?
So what are the signs this wasn't a legitimate email? Well, there are things that you can easily see and others you need specialized tools to find out. Here's what we found:
- Two different fake domains—the email domain didn't match the link domain, even though they were really close
- No webpage exists for the email domain
- Domain registration really recent even though the company isn't new
- IP addresses and locations were in Germany and the sender information section was in German even though the sender was supposedly in the USA
- Company name was misspelled in the Calendly link
- Facebook was needed to log in to a Calendly calendar
- Facebook login page was inconsistent, had limited and unusual functionality
- Attempts to log in took unusually long
- Web requests made from the Facebook login page didn't go to Facebook
And what made it so convincing? Mainly how targeted it was. Looking specifically for marketers with experience that pointed towards having access to ad accounts. And sending the request from a very legitimate-looking person. The person being impersonated had a high-enough title at a well-known media agency but wasn't known themselves, so it wouldn't be too suspicious.
Did you or someone you know get a similar email? Contact me if you'd like to share your story.
Keep up with the latest threats
Don't miss future threats, and subscribe to our newsletter for the latest threat feed and cybersecurity news. Stay informed and stay safe!
About the author
Sophie is a no-fluff marketer on a quest to educate people about cybersecurity. Special thanks to Tina, who alerted me of this campaign and sent me the material, Suvi, one of our threat analysts at Hoxhunt, and Kurre, Lead Security Engineer at Supermetrics, for their invaluable help with this piece. This operation and all the details found have been disclosed to the National Cyber Security Centre.