orange arrow

Cybercriminals Recruiting Online

intro image

Written by Dima Khrustalov

Executive Summary

  • Compromised employer recruiting accounts at employment websites (e.g. Indeed, CareerBuilder, ZipRecruiter) are in very high demand in the cybercriminal underground.
  • The demand is by mule operators, i.e., cybercriminals who specialize in recruiting and managing money and parcel mules. The compromised employer accounts are used to recruit mules by posting fake job advertisements.
  • In addition, many cybercriminals purchase databases containing information and email communications of job seekers. These databases are used for targeted mule recruitment by contacting potential candidates directly via email.
  • In the cybercriminal underground, prices for such accounts and data are quite high relative to other digital goods, even fetching higher prices than compromised bank accounts in many cases. The typical price range is shown in the table below:
employer recruitment account $30 - 130 / account
database of job seekers $10 – 50 / 1,000 records
email communications of job seekers $1.5 – 2.5 / email file

Recommendations

Safeguard your recruiting accounts at employment websites using similar controls for other corporate accounts, for example:

  1. Keep an up-to-date inventory of all such accounts and related permissions.
  2. Enforce password rules (e.g., 12+ characters) to avoid brute-forcing.
  3. Ensure that recruiting accounts are only accessed via corporate devices and not through employees’ private devices.
  4. Regularly monitor the activity of your recruiting accounts to identify any suspicious publications

Cybercriminal ‘Chatter’

Russian-language underground forums are filled with discussions regarding employment websites. The discussions often relate to the following popular websites:

  • careerbuilder.com
  • indeed.com
  • monster.com
  • ziprecruiter.com
  • craiglist.org
  • workopolis.ca
  • monster.ca

These discussions center around two main topics:

  1. buying or selling compromised employer accounts, and
  2. databases containing information and email communications of job seekers.
A threat actor looking to buy access to compromised employer accounts at indeed.com, careerbuilder.com and monster.com
A threat actor looking to buy access to compromised employer accounts at indeed.com, careerbuilder.com and monster.com

Demand for Compromised Employer Accounts

Compromised accounts for different online services and platforms are considered to be one of the most valuable types of digital goods among cybercriminals. Without a doubt, the highest demand has always been for compromised financial accounts (e.g., online banking, brokerage, payments, etc.). Compromised employer accounts for online recruitment sites are also in very high demand, ahead of many other types of accounts. Dozens of cybercriminals are constantly seeking to buy such accounts of US, Canadian, and to a lesser extent European employers on a regular basis. This high demand is answered by botnet operators, who identify such compromised accounts in their victim databases and sell them in numerous underground forums, as well as many cybercriminals have developed tools and tactics to brute-force such accounts in order to sell them.

The prices for compromised employer accounts typically range between $30 to $130 per account, depending on the amount of additional information that is available with the compromised login credentials. The most expensive accounts usually include access to the accountholder’s business email, the victim’s IP address, and have a payment card linked to the account and a history of previous job postings. The cheapest accounts include only the login credentials.

A threat actor looking to buy careerbuilder.com employer accounts with an option to search by candidate's CV
A threat actor looking to buy careerbuilder.com employer accounts with an option to search by candidates' CV

Why So Lucrative?

What is the reason for such high demand for compromised employer accounts and for their relatively high prices (for example, the average price for a compromised online banking account is $30 - 50)? Compromised employer accounts are used by mule operators (or mule vendors), a specific niche of cybercriminals. Mules are people who receive illicit money transfers or merchandise acquired fraudulently on behalf of cybercriminals who wish to disguise their true identity and location. The funds or merchandise are subsequently sent to one or more addresses until reaching the final destination chosen by the cybercriminal. The most common way of recruiting mules is via fake job advertisements. And this is precisely the reason that mule vendors are constantly looking to buy compromised employer accounts. These accounts are used to post openings for a variety of entry-level positions that do not require prior experience or education, such as:

  1. receptionist / virtual receptionist
  2. customer service manager
  3. customer service representative
  4. real estate manager
  5. realtor assistant
  6. sales account manager
  7. sales assistant
  8. administrative assistant
  9. office administrator
  10. account manager

After posting these open job positions on career websites, the mule vendors receive candidate CVs. The names and email addresses of these job seekers are extremely valuable, feeding a database of prospective mules to be targeted for recruitment.

Since mules have a limited lifespan (fraudulent transactions are ultimately reported and the mule accounts are investigated and flagged), mule operators who want to achieve scale must have access to a constant stream of potential mules. This fuels ever-growing demand for compromised employer accounts.

Information And Email Communications Of Job Seekers

Alongside compromised employer accounts, databases containing information and email communications of job seekers are frequently discussed and traded on underground forums. Such databases are used exactly for the same purpose as compromised employer accounts - to recruit mules. However, the approach is different, and often easier for the mule vendors. The databases of job seekers are sometimes directly harvested from employment websites (through a crawler or an actual hack) and include individuals’ personal details (full name, email) and their positions of interest. This allows a mule vendor to execute a targeted email campaign, sending personalized emails to potential mule candidates offering to apply for a bogus job. Prices for such databases range between $10 to $50 for one thousand records.

Taking it one step further, some cybercriminals sell email communications of job seekers. This includes an actual email sent by the job seeker to an employer in response to a job posting. Since the potential candidate has already expressed interest in a certain position, the mule vendor can ‘take over’ the correspondence with the job seeker or offer a similar position. The email records typically come in EML format1 and trade for $1.5 to $2.5 per record.

An underground service selling email communications of job seekers
An underground service selling email communications of job seekers
1 EML file is an email message saved by an email program, such as Microsoft Outlook or Apple Mail. It contains the content of the message, along with the subject, sender, recipient(s), and date of the message. EML files may also store one or more email attachments, which are files sent with the message.
Discover how Q6 Cyber’s targeted and actionable intelligence can help prevent threats before they materialize into damaging breaches resulting in fraud losses by reviewing our current solution offerings .

About the Author

Dima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.