“Hired Hand” in the Kingdom of Saudi Arabia Uses Domain Spoofing
Sometimes a social engineering campaign has a clear geographical focus, often shaped by language, holidays, or current events. In this case, the scammers are taking opportunistic advantage of a company whose service offerings have a significant share in a locally important Saudi market, and their preferred technique has been domain-spoofing.
Researchers have observed the production of a large number of bogus domains that misrepresent themselves as belonging to a well-known employment agency in the Kingdom of Saudi Arabia. Group-IB reports that, “Over the past 16 months, Group-IB analysts analyzed more than 1,000 rogue domains linked to a single Saudi company – a leading manpower agency that offers businesses assistance in hiring employees for the construction and services sector, and individuals can also procure the services of domestic workers through the agency. The latter of these two groups is the target of this scam campaign.”
It’s thus the market for domestic workers that the criminals have been seeking to exploit. It’s a more dispersed, less centralized market, and those engaged in it may have less support and less familiarity with cybercrime than bigger organizations in the construction sector.
“The campaign, which was launched in April 2021, appeared to peak in March 2022,” the researchers say, “when more than 200 new domains spoofing the agency in question were registered with hosting providers. Group-IB analysts believe that the surge in new domains registered in early 2022 could be a sign that a growing number of internet users had fallen victim to this scheme.” Why has the campaign endured as long as it has? It’s been working. “As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate them money.”
They earn money in a familiar way, by inveigling victims into giving up their banking and other credentials. “The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine. Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone.” Those interested in hiring domestic help are then taken through a plausible application process, in the course of which they enter various bits of personal data, but the hook comes at the end, where they’re asked to pay a small processing fee. This is the stage at which financial credentials are taken. The hook is set, and the phish is reeled in.
Users can protect themselves by developing certain sound habits of awareness, like paying attention to a site’s actual url before they visit it (and similarly by paying attention to the email address of unsolicited messages especially). Companies can help by remaining alert for signs that their brands are being impersonated. In both cases, new-school security awareness training can help impart the knowledge and skills users and organizations can use to fend off social engineering.