Cairo — Group-IB, a global cybersecurity leader headquartered in Singapore, has today published new research detailing a novel and ongoing fake job scam campaign targeting Arabic speakers in the Middle East and Africa (MEA) region. Digital Risk Protection (DRP) experts at Group-IB’s Threat Intelligence and Research Center in Dubai, United Arab Emirates, discovered and analyzed more than 2,400 fake job pages that impersonated companies from 13 MEA countries created on social networks from January 2022 through January 2023. On these pages, scammers spoofed more than 40 of the MEA region’s largest enterprises and published vacancies in the Arabic language offering salaries that are too good to be true; a social engineering ploy that aims to get the victims to interact with the post with the eventual goal of the threat actors being the theft of the user’s social network account credentials. In order to achieve this aim, the scammers include links to scam pages in the publications posted on the fake social media profiles, and these scam sites linked to phishing pages on which the victim is asked to enter their login credential and password. Group-IB analysts discovered that the scammers most frequently impersonated companies from Egypt, Saudi Arabia, and Algeria throughout the course of this scam campaign.
Flex those pincers
This particular scam campaign was notable due to both the amount of fake pages created and the large number of countries targeted. In total, Group-IB Digital Risk Protection discovered more than 2,400 pages impersonating more than 40 prominent brands in the MEA region. The scam campaign exclusively targets Arabic-speaking internet users, as all adverts are posted in the Arabic language. Companies in Egypt were the most frequently impersonated by the scammers, as 48% of all the fake profiles created on Facebook spoofed companies from this country. Organizations from Saudi Arabia (23% of all scam pages), Algeria (16%), Tunisia (7%), and Morocco (4%) were also frequently mimicked. In terms of timeframe, this particular scam campaign was first observed in January 2022, and peaked in activity this past August, when 609 new scam pages were created. New scam pages are still being made on a daily basis, and in January 2023, 108 Facebook profiles posting fake job vacancies from MEA companies were discovered, a total that is higher than the monthly values for November and December 2022.
Figure 1: Headline data and timeline of MEA job scam January 2022 – January 2023.
Group-IB researchers analyzed the fake job vacancies, and found that many of the posts claimed to be offering salaries for low- and middle-skilled posts that are too good to be true as a means of attracting victims. One page spoofing a reputed petroleum company in Algeria claimed to be offering monthly salaries of 4,500 euros (USD $4,800) for drivers and painters. On other pages, more realistic salaries were advertized, as a profile imitating a Saudi dairy company mentioned that workers could expect to receive upwards of 3,500 Saudi rials (roughly $930).
The scammers who launched this particular campaign set their sights on multiple verticals, although the logistics industry was the most commonly targeted, as 64% of the profiles discovered by Group-IB impersonated companies from this sector. Group-IB has previously noted that scammers targeting MEA users are particularly fond of impersonating logistics enterprises due to its high potential ROI. The food and beverage (20% of scam pages) and petroleum (12%) industries were also heavily impersonated by the scammers. One particular company was impersonated on more than 1,000 fake pages. Other major targets in this campaign were a dairy firm in Saudi Arabia and an Algerian logistics company, whose brands were utilized on more than 300 and 200 pages, respectively, and some of the pages identified in this scam campaign claimed to be offering individuals jobs at the 2022 FIFA World Cup in Qatar. Group-IB Digital Risk Protection researchers, who participated in international law enforcement efforts to secure the digital space around this tournament, published their findings into fake merchandise, fake ticketing, and fake job scams, which included the discovery of more than 16,000 scam domains, late last year.
Convincing fakes trick users
The success of any scam campaign rests on the threat actors’ ability to convincingly impersonate a company. In this scam scheme, the vast majority of the fake Facebook pages featured the official name and likeness of the affected brand. Most of the profiles also include the word “وظائف” (vacancies) in their title.
These scam pages are often very basic and only contain an “apply” button. Crucially, they often contain the branding of the company in question, along with a description of the jobs that they claim to be advertising. Once the victim clicks on the “apply” button, they are almost always redirected to a phishing page that spoofs a major social network, such as Facebook.
Should the user enter their email/phone number and password, the scammers now have all they need to gain access to the victim’s social network account. In rare cases, the initial scam web pages are used to redirect users to other scam pages.
“This particular scam case is significant as it targets individual internet users in the Middle East and North Africa on Facebook, a highly popular social network in the region. Group-IB’s Digital Risk Protection researchers have identified scams with similar tactics, techniques, and procedures in the past, and we will continue to leverage this experience, along with the full power of Group-IB’s technologies to detect and takedown scam resources to ensure the digital security of companies and internet users. With this research, we hope to raise awareness in the MEA region of the tricks that scammers are willing to pull, such as targeting job seekers, to steal their credentials and potentially cause them financial loss” Sharef Hlal, Head of Group-IB’s Digital Risk Protection Analytics Team, MEA, said.
Credential theft scams expose victims to significant risk if they use the same combination of username/email and password for accounts on other platforms; particularly those pertaining to personal finances, such as cryptocurrency wallets and investment portfolios. Additionally, Group-IB experts have seen cases whereby scammers utilized compromised accounts to share scam and phishing links to other users, and the threat actors can also demand money from the victim for the account’s retrieval. Companies and brands that have their likeness appropriated by scammers risk suffering reputational loss.
Group-IB urges internet users to be vigilant and always double check the URL when following links that allegedly lead to the website of a company, particularly if those links were accessed on social media or sent via messengers. Additionally, users should enable two-factor authentication (2FA) for their online accounts to provide an extra layer of security that can prevent scams such as this, and they should also ensure that they do not use the same password for multiple accounts. We advise businesses to leverage DRP solutions to monitor for signs of brand abuse on the internet and promptly detect and block any threats that could lead to scams.
Group-IB, with its headquarters in Singapore, is one of the leading solutions providers dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), Asia-Pacific (Singapore), and Europe (Amsterdam).
Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat Intelligence, Managed XDR, Digital Risk Protection, Fraud Protection, Attack, Surface Management, Business Email Protection, Audit & Consulting, Education & Training, Digital Forensics & Incident Response, Managed Detection & Response, and Cyber Investigations. Group-IB’s Threat Intelligence system has been named one of the best in its class by Gartner, Forrester, and IDC. Group-IB’s Managed XDR, intended for proactively searching for and protecting against complex and previously unknown cyber threats, has been recognized as one of the market leaders in the Network Detection and Response category by KuppingerCole Analysts AG, the leading European analyst agency, while Group-IB itself has been recognized as a Product Leader and an Innovation Leader. Gartner has named Group-IB a Representative Vendor in Online Fraud Detection for its Fraud Protection. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks, with the company’s patented technologies at its core. Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and over 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.
Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.
Group-IB's experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB's mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.