Group-IB uncovers fake job pages targeting Arabic speakers in Egypt and other MEA countries

Group-IB uncovers fake job pages targeting Arabic speakers in Egypt and other MEA countries

Group-IB, a global cybersecurity leader headquartered in Singapore, has published new research detailing a novel and ongoing fake job scam campaign targeting Arabic speakers in the Middle East and Africa (MEA) region. Digital Risk Protection (DRP) experts at Group-IB’s Threat Intelligence and Research Center in Dubai discovered and analysed more than 2,400 fake job pages that impersonated companies from 13 MEA countries created on social networks from January 2022-January 2023. 

On these pages, scammers spoofed more than 40 of the MEA region’s largest enterprises and published vacancies in the Arabic language offering salaries that are too good to be true; a social engineering ploy that aims to get the victims to interact with the post with the eventual goal of the threat actors being the theft of the user’s social network account credentials. 

To achieve this aim, the scammers include links to scam pages in the publications posted on the fake social media profiles. These scam sites linked to phishing pages on which the victim is asked to enter their login credentials and passwords. Group-IB analysts discovered that the scammers most frequently impersonated companies from Egypt, Saudi Arabia and Algeria throughout the course of this scam campaign.

In order to investigate this scam campaign, Group-IB analysts used the company’s proprietary DRP platform, leveraging its AI technology and highly accurate logo analysis and text recognition features. Group-IB has a zero tolerance policy to cybercrime; any of the pages discovered in this scam campaign that impersonated Group-IB’s clients were blocked by Group-IB. 

Privacy policy on many leading social networks – which limits public access to information pertaining to the creators of individual profiles and the scammers’ decision to create the scam and phishing pages on cheap or free all-in-one link solutions – made it impossible to determine whether all 2,400-plus scam pages were created by a single group. Furthermore, this scam exclusively targets individuals, many of whom will be unaware that their credentials have been compromised, limiting Group-IB’s victim visibility. Despite this, Group-IB’s DRP researchers will continue to monitor this scam and work to ensure the takedown of any pages that appropriate the name and likeness of affected companies. 

Flex those pincers

This particular scam campaign was notable due to both the amount of fake pages created and the large number of countries targeted. In total, Group-IB DRP discovered more than 2,400 pages impersonating more than 40 prominent brands in the MEA region. 

The scam campaign exclusively targets Arabic-speaking Internet users, as all adverts are posted in the Arabic language. Companies in Egypt were the most frequently impersonated by the scammers, as 48% of all the fake profiles created on Facebook spoofed companies from this country. Organisations from Saudi Arabia (23% of all scam pages), Algeria (16%), Tunisia (7%) and Morocco (4%) were also frequently mimicked. In terms of timeframe, this particular scam campaign was first observed in January 2022 and peaked in activity in August, when 609 new scam pages were created. New scam pages are still being made on a daily basis; in January 2023, 108 Facebook profiles posting fake job vacancies from MEA companies were discovered, a total that is higher than the monthly values for November and December 2022.

Group-IB researchers analysed the fake job vacancies and found that many of the posts claimed to be offering salaries for low- and middle-skilled posts that are too good to be true as a means of attracting victims. One page spoofing a reputed petroleum company in Algeria claimed to be offering monthly salaries of €4,500 (US$4,800) for drivers and painters. On other pages, more realistic salaries were advertised, as a profile imitating a Saudi dairy company mentioned that workers could expect to receive upwards of 3,500 Saudi Riyals (roughly US$930). 

The scammers who launched this campaign set their sights on multiple verticals, although, the logistics industry was the most commonly targeted as 64% of the profiles discovered by Group-IB impersonated companies from this sector. Group-IB has previously noted that scammers targeting MEA users are particularly fond of impersonating logistics enterprises due to its high potential ROI. The food and beverage (20% of scam pages) and petroleum (12%) industries were also heavily impersonated by the scammers. One company was impersonated on more than 1,000 fake pages. Other major targets in this campaign were a dairy firm in Saudi Arabia and an Algerian logistics company, whose brands were utilised on more than 300 and 200 pages respectively, with some of the pages identified in this scam campaign claimed to be offering individuals jobs at the 2022 FIFA World Cup in Qatar. 

Group-IB DRP researchers, who participated in international law enforcement efforts to secure the digital space around this tournament, published their findings into fake merchandise, fake ticketing and fake job scams, which included the discovery of more than 16,000 scam domains, late in 2023. 

Convincing fakes trick users

The success of any scam campaign rests on the threat actors’ ability to convincingly impersonate a company. In this scam scheme, the vast majority of the fake Facebook pages featured the official name and likeness of the affected brand. Most of the profiles also include the word ‘وظائف’ (vacancies) in their title.

These scam pages are often very basic and only contain an ‘apply’ button. Crucially, they often contain the branding of the company in question, along with a description of the jobs that they claim to be advertising. Once the victim clicks on the ‘apply’ button, they are almost always redirected to a phishing page that spoofs a major social network, such as Facebook. 

Should the user enter their email/phone number and password, the scammers now have all they need to gain access to the victim’s social network account. In rare cases, the initial scam web pages are used to redirect users to other scam pages.

“This particular scam case is significant as it targets individual Internet users in the Middle East and North Africa on Facebook, a highly popular social network in the region,” said Sharef Hlal, Head of Group-IB’s DRP Analytics Team, MEA. “Group-IB’s DRP researchers have identified scams with similar tactics, techniques and procedures in the past and we will continue to leverage this experience along with the full power of Group-IB’s technologies to detect and takedown scam resources to ensure the digital security of companies and Internet users. With this research, we hope to raise awareness in the MEA region of the tricks that scammers are willing to pull, such as targeting job seekers, to steal their credentials and potentially cause them financial loss.”

Credential theft scams expose victims to significant risk if they use the same combination of username/email and password for accounts on other platforms; particularly those pertaining to personal finances, such as cryptocurrency wallets and investment portfolios. Additionally, Group-IB experts have seen cases whereby scammers utilised compromised accounts to share scam and phishing links to other users and the threat actors also demand money from the victim for the account’s retrieval. Companies and brands that have their likeness appropriated by scammers risk suffering reputational loss. 

Group-IB urges Internet users to be vigilant and always double check the URL when following links that allegedly lead to the website of a company, particularly if those links were accessed on social media or sent via messengers. Additionally, users should enable 2FA for their online accounts to provide an extra layer of security that can prevent scams such as this, and they should also ensure that they do not use the same password for multiple accounts. We advise businesses to leverage DRP solutions to monitor for signs of brand abuse on the Internet and promptly detect and block any threats that could lead to scams.

Click below to share this article

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive