Written by Dima Khrustalov
|employer recruitment account||$30 - 130 / account|
|database of job seekers||$10 – 50 / 1,000 records|
|email communications of job seekers||$1.5 – 2.5 / email file|
Safeguard your recruiting accounts at employment websites using similar controls for other corporate accounts, for example:
Russian-language underground forums are filled with discussions regarding employment websites. The discussions often relate to the following popular websites:
These discussions center around two main topics:
Compromised accounts for different online services and platforms are considered to be one of the most valuable types of digital goods among cybercriminals. Without a doubt, the highest demand has always been for compromised financial accounts (e.g., online banking, brokerage, payments, etc.). Compromised employer accounts for online recruitment sites are also in very high demand, ahead of many other types of accounts. Dozens of cybercriminals are constantly seeking to buy such accounts of US, Canadian, and to a lesser extent European employers on a regular basis. This high demand is answered by botnet operators, who identify such compromised accounts in their victim databases and sell them in numerous underground forums, as well as many cybercriminals have developed tools and tactics to brute-force such accounts in order to sell them.
The prices for compromised employer accounts typically range between $30 to $130 per account, depending on the amount of additional information that is available with the compromised login credentials. The most expensive accounts usually include access to the accountholder’s business email, the victim’s IP address, and have a payment card linked to the account and a history of previous job postings. The cheapest accounts include only the login credentials.
What is the reason for such high demand for compromised employer accounts and for their relatively high prices (for example, the average price for a compromised online banking account is $30 - 50)? Compromised employer accounts are used by mule operators (or mule vendors), a specific niche of cybercriminals. Mules are people who receive illicit money transfers or merchandise acquired fraudulently on behalf of cybercriminals who wish to disguise their true identity and location. The funds or merchandise are subsequently sent to one or more addresses until reaching the final destination chosen by the cybercriminal. The most common way of recruiting mules is via fake job advertisements. And this is precisely the reason that mule vendors are constantly looking to buy compromised employer accounts. These accounts are used to post openings for a variety of entry-level positions that do not require prior experience or education, such as:
After posting these open job positions on career websites, the mule vendors receive candidate CVs. The names and email addresses of these job seekers are extremely valuable, feeding a database of prospective mules to be targeted for recruitment.
Since mules have a limited lifespan (fraudulent transactions are ultimately reported and the mule accounts are investigated and flagged), mule operators who want to achieve scale must have access to a constant stream of potential mules. This fuels ever-growing demand for compromised employer accounts.
Alongside compromised employer accounts, databases containing information and email communications of job seekers are frequently discussed and traded on underground forums. Such databases are used exactly for the same purpose as compromised employer accounts - to recruit mules. However, the approach is different, and often easier for the mule vendors. The databases of job seekers are sometimes directly harvested from employment websites (through a crawler or an actual hack) and include individuals’ personal details (full name, email) and their positions of interest. This allows a mule vendor to execute a targeted email campaign, sending personalized emails to potential mule candidates offering to apply for a bogus job. Prices for such databases range between $10 to $50 for one thousand records.
Taking it one step further, some cybercriminals sell email communications of job seekers. This includes an actual email sent by the job seeker to an employer in response to a job posting. Since the potential candidate has already expressed interest in a certain position, the mule vendor can ‘take over’ the correspondence with the job seeker or offer a similar position. The email records typically come in EML format1 and trade for $1.5 to $2.5 per record.1 EML file is an email message saved by an email program, such as Microsoft Outlook or Apple Mail. It contains the content of the message, along with the subject, sender, recipient(s), and date of the message. EML files may also store one or more email attachments, which are files sent with the message.
About the AuthorDima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.