In a world where cyber threats are increasingly sophisticated, it’s crucial to stay informed about the latest tactics, techniques, and procedures (TTPs) employed by threat actors. Today, we delve into a recent series of campaigns identified by Proofpoint, targeting university students with fraudulent job offers purportedly related to bioscience and health entities.
The Scam
Proofpoint’s research and analysis reveal that these campaigns began as early as March 2023 and continued through June 2023. The threat actors used job-themed email lures, mostly related to biosciences, healthcare, and biotechnology, to target university students in North America. The emails contained interview requests for remote data entry jobs, with attached PDFs providing alleged information about the organisation, the position offered, salary, and equipment specifications.
The threat actors enticed recipients to have a video call about the role, likely with the ultimate objective of conducting advance fee fraud (AFF). They would likely tell the recipient they needed to pay an advance fee for equipment before receiving it, which the threat actor would then collect.
Why Universities?
Universities are frequent targets of employment scams for several reasons. Students are likely more open to flexible, remote work opportunities; international students may not recognise telltale signs of fraudulent emails as well as native English speakers; and rising inflation and cost of education is putting the pinch on students’ finances, making the promise of quick cash more attractive.
MITRE ATT&CK TTPs
The threat actors used a variety of tactics and techniques that align with the MITRE ATT&CK framework. These include:
- Spearphishing Attachment (T1193): The threat actors sent emails with attached PDFs containing alleged information about the organisation and the position offered.
- Impersonate Entities (T1390): The threat actors created fake domains that purported to belong to legitimate companies, typically adding “careers” to the domain name.
Indicators of Compromise (IOCs)
Proofpoint identified several spoofed domains used for employment fraud. These include:
- agcbiocareers[.]com
- amicusrxcareers[.]com
- xeneticbiocareers[.]com
- aleralabscareers[.]com
- ensyscecareers[.]com
- amberstonebiocareers[.]com
For a full list of IOCs, please refer to the original article by Proofpoint.
Conclusion
This activity is a stark reminder of the importance of vigilance when dealing with unsolicited job offers, especially those that require upfront payment. Always verify the legitimacy of the organisation and the job offer before proceeding.
Further Reading
For more information on this topic, please refer to the original article by Proofpoint.