- NordVPN researchers uncovered a massive recruitment phishing scam
- Scammers impersonate top global employers like Meta, Disney, Spotify
- Hackers use fake job portals to steal job seekers’ Facebook login credentials
The job market is tough enough without having to dodge cybercriminals. But according to new research from NordVPN, hackers are now impersonating recruiters from some of the world’s biggest brands to hijack the social media accounts of unsuspecting job seekers.
The cybersecurity firm’s Threat Intelligence unit has exposed a highly sophisticated phishing campaign that weaponizes the names of major employers, including Meta, Disney, Coca-Cola, and Spotify. Rather than stealing your money outright, the operation is designed to quietly harvest your Facebook credentials.
By deploying polished recruitment emails, hidden “HUB” domains, and incredibly realistic job portals, attackers are tricking applicants into handing over the keys to their digital lives. With social media accounts often linked to other sensitive apps and services, a compromised Facebook login can quickly spiral into a devastating privacy breach.
If you want to protect your personal data while applying for roles online, using one of the best VPN services with built-in anti-malware and malicious tracker blocking is a smart first step. However, staying completely safe from targeted phishing requires a deeper understanding of how these multi-stage scams actually work.
From fake job offer to full account hijack
The campaign kicks off with a professional-looking cold email, often sent via legitimate platforms like Google AppSheet to slip past standard spam filters.
These messages feature clean grammar and target victims whose contact details were likely scraped from platforms like LinkedIn or exposed in previous data breaches.
Clicking the email link takes victims to a “HUB” domain (such as careers.meta-findyourjob[.]com).
Interestingly, NordVPN found that these sites feature a clever built-in evasion tactic. If a security scanner or an analyst visits the URL directly, they only see a blank, harmless webpage. The malicious “Search for a job” button only activates when the site is triggered by a unique referral link embedded in the original phishing email.
Once the victim clicks through, they land on an intermediate site that flawlessly mimics a legitimate corporate job board. Researchers identified several fake portals, including connect.spotifycareerapply[.]com for Spotify and jobquest.wdcfuturesteps[.]com for Disney.
The trap finally closes when the applicant clicks “Apply.” Instead of a standard application form, they are met with a prompt demanding they log in via Facebook to proceed. This fake login page captures the victim’s username and password, handing the attackers total control over the account.
Domininkas Virbickas, product director at NordVPN, explains that job seekers are “uniquely vulnerable” to these types of attacks. That’s because they are already in a mindset where sharing personal data and following instructions from unknown contacts is the normal process to land an interview.
“Such campaigns take advantage of that trust using polished communications and convincing fake career portals that are nearly indistinguishable from the real thing,” said Virbickas.
How to stay safe during your job hunt
This campaign proves that cybercriminals are constantly finding new ways to weaponize professional contexts to bypass our natural skepticism. Because this attack flow so closely mimics a real corporate hiring process, even cautious internet users can be caught off guard.
To protect yourself, NordVPN recommends making a habit of verifying the URL before entering any personal data. Legitimate mega-brands will always host their career pages on official, recognizable domains, not unusual third-party links.
The same rule applies to social login prompts. A genuine “Log in with Facebook” button will always securely redirect you to the official facebook.com domain. If the URL bar shows anything else, close the tab immediately.
If you still have doubts, I recommend running the link through NordVPN’s URL checking tool or similar software. It’s completely free to use for anyone, even those who don’t have an active NordVPN subscription.
Finally, NordVPN suggests always activating two-factor authentication (2FA) across your social media profiles. Even if a sophisticated phishing page manages to steal your password, 2FA serves as a vital safety net that blocks attackers from accessing your account.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
https://cdn.mos.cms.futurecdn.net/ww3YL3NdsxthAHvm7Y8928-2000-80.jpg
Source link
