Social Engineering TTPs Episode 2: Malicious Job Advertisements

Author's Note: When I initially collected information for this article, I primarily focused on capturing the relevant threat intelligence and translating it in a way that your average jobseeker would be able to review and understand what to look for in a malicious job advertisement on Linkedin. Upon revision to add additional Detection Engineering relevant sigma rules, the threat actors had shifted the website and removed malicious components.

Earlier, one of my friends posted on linkedin about how hiring managers were identifying themselves more on the platform and asking candidates to "reach out" individually to suspicious websites.

Initial Finding:

I found the first posting on my feed that looked suspicious and decided to dig into the information and see what I could identify.

URL Review

You'll notice the shortened url which resolves into [h]iringportal.blogspot.com.

Observation: Above is a screenshot of the form. The requested information was fairly tame... looking for names, e-mails etc.

Note: At the bottom of the form there is a banner from Google which states, "this is not a google page"

What is interesting to note here is that I noticed the entire application is one giant link. Click anywhere and you are sent to a spam popup. After some review of the code you will see the following hyperlink covering the entire page:

Observation: A person claiming to work for google as a hiring manger, led the unsuspecting job poster to a website where a link covers the entire page that when clicked generates a pop-up to a different site.

Open Source Scanning via URLscan.io

When you run the new URL through URLscan.io, you receive the following information:

This website is considered malicious. I noted that this isn't the same URL I encountered previously, so I refreshed the page to see what else came up:

The new generated link also leads to the same server ([173].233.137.44) When we run the request again, we get the following site which also has changed to reflect [173].233.137.60, which is still in the same network, but a new endpoint.

Analysis: At the time of this writing, all the webpages were hosted from the same location at [173].233.137.0 on Servers.com

Identifying the Host

Running a whois on 127.233.137.0 returns the following information:

NOTE: We observed Servers.com itself as being safe and the main IP located in the Netherlands. GIven that it is like an Infrastructure as a Service company, it would make sense that there might be bad actors using those services in violation of the user agreements.

Running servers.com on urlscan.io provides the following information:

At the bottom of the page there is an the IP/ASNs of 101 and the AS (Autonomous System) of 7979. That is the same AS on the other requests. When we click on AS 7979, and we received a list of potential malicious websites including the ones we observed previously.

Conclusion and Recommendations

On 6 Nov 2023, I returned to this project to identify addition characteristics of the websites and improve the overall article with an eye towards provide detection guidance. Upon review of the above websites, the previously identified malicious endpoints are not considered malicious anymore according to URLscan.io. Additionally, the ipv4 addresses moved from servers,com to google cloud. When I pulled the underlying HTML there was no iframe command covering the entire site and providing a link to a malicious site compared to what was captured previously.

Based off the shift in TTPs, It would be counter intuitive to block the IP of any malicious site entirely as the Threat Actor is more likely using some sort of proxying through a different site as well.

If I had additional time with the malicious site, I believe I would have been able to identify some sort of exploit that would fit into the sigma framework or found an artifact that would have fit well into a firewall rule. Stay vigilant!

Return to the Archive