Group-IB uncovers fake job pages targeting Arabic speakers in Egypt, Middle East and Africa

Headline data and timeline of MEA job scam January 2022 – January 2023

Group-IB, a global cybersecurity leader headquartered in Singapore, has today published new research detailing a novel and ongoing fake job scam campaign targeting Arabic speakers in the Middle East and Africa region. Digital Risk Protection experts at Group-IB’s Threat Intelligence and Research Center in Dubai, United Arab Emirates, discovered and analyzed more than 2,400 fake job pages that impersonated companies from 13 Middle East and African countries created on social networks from January 2022 through January 2023. On these pages, scammers spoofed more than 40 of the Middle East and African region’s largest enterprises and published vacancies in the Arabic language offering salaries that are too good to be true; a social engineering ploy that aims to get the victims to interact with the post with the eventual goal of the threat actors being the theft of the user’s social network account credentials. To achieve this aim, the scammers include links to scam pages in the publications posted on the fake social media profiles, and these scam sites are linked to phishing pages on which the victim is asked to enter their login credentials and password. Group-IB analysts discovered that the scammers most frequently impersonated companies from Egypt, Saudi Arabia, and Algeria throughout this scam campaign.

To investigate this scam campaign, Group-IB analysts used the company’s proprietary Digital Risk Protection platform, leveraging its Artificial Intelligence technology and highly accurate logo analysis and text recognition features. Group-IB has a zero-tolerance policy for cybercrime, and any of the pages discovered in this scam campaign that impersonated Group-IB’s clients were blocked by Group-IB. Privacy policy on many leading social networks, which limits public access to information about the creators of individual profiles, and the scammers’ decision to create the scam and phishing pages on cheap or free all-in-one link solutions made it impossible to determine whether all 2,400-plus scam pages were created by a single group. Furthermore, this scam exclusively targets individuals, many of whom will be unaware that their

credentials have been compromised, limiting Group-IB’s victim visibility. Despite this, Group-IB’s Digital Risk Protection researchers will continue to monitor this scam and work to ensure the takedown of any pages that appropriate the name and likeness of affected companies.

Flex those pincers

This particular scam campaign was notable due to both the amount of fake pages created and the large number of countries targeted. In total, Group-IB Digital Risk Protection discovered more

than 2,400 pages impersonating more than 40 prominent brands in the Middle East and African region. The scam campaign exclusively targets Arabic-speaking Internet users, as all adverts are posted in the Arabic language. Companies in Egypt were the most frequently impersonated by

scammers, as 48% of all the fake profiles created on Facebook spoofed companies from this country. Organizations from Saudi Arabia, 23% of all scam pages, Algeria 16%, Tunisia 7%, and Morocco’s 4% were also frequently mimicked. In terms of timeframe, this particular scam

campaign was first observed in January 2022, and peaked in activity this past August, when 609 new scam pages were created. New scam pages are still being made daily and in January 2023, 108 Facebook profiles posting fake job vacancies from Middle East and African companies were discovered, a total that is higher than the monthly values for November and December 2022.

Group-IB researchers analyzed the fake job vacancies and found that many of the posts claimed to be offering salaries for low- and middle-skilled posts that are too good to be true as a means of attracting victims. One page spoofing a reputed petroleum company in Algeria claimed to be offering monthly salaries of 4,500 euros (United States Dollars $4,800) for drivers and painters. On other pages, more realistic salaries were advertised, as a profile imitating a Saudi dairy company mentioned that workers could expect to receive upwards of 3,500 Saudi rials (roughly $930).

The scammers who launched this particular campaign set their sights on multiple verticals, although the logistics industry was the most commonly targeted, as 64% of the profiles discovered by Group-IB impersonated companies from this sector. Group-IB has previously noted that scammers targeting Middle East and African users are particularly fond of impersonating logistics enterprises due to their high potential ROI. The food and beverage (20% of scam pages) and petroleum (12%) industries were also heavily impersonated by the scammers. One particular company was impersonated by more than 1,000 fake pages. Other major targets in this campaign were a dairy firm in Saudi Arabia and an Algerian logistics company, whose brands were utilized on more than 300 and 200 pages, respectively, and some of the pages identified in this scam campaign claimed to be offering individuals jobs at the 2022 Federation Internationale de Football Association World Cup in Qatar.

Group-IB Digital Risk Protection researchers, who participated in international law enforcement efforts to secure the digital space around this tournament published their findings into fake merchandise, fake ticketing, and fake job scams, which included the discovery of more than 16,000 scam domains, late last year.

Convincing fakes to trick users

The success of any scam campaign rests on the threat actors’ ability to convincingly impersonate a company. In this scam scheme, the vast majority of the fake Facebook pages featured the official name and likeness of the affected brand. Most of the profiles also include the word “وظائف” (vacancies) in their title.

These scam pages are often very basic and only contain an apply button. Crucially, they often contain the branding of the company in question, along with a description of the jobs that

they claim to be advertising. Once the victim clicks on the apply button, they are almost always redirected to a phishing page that spoofs a major social network, such as Facebook. Should the user enter their email/phone number and password, the scammers now have all they need to gain access to the victim’s social network account. In rare cases, the initial scam web pages are used to redirect users to other scam pages.

This particular scam case is significant as it targets individual internet users in the Middle East and North Africa on Facebook, a highly popular social network in the region. Group-IB’s Digital Risk Protection researchers have identified scams with similar tactics, techniques, and procedures in the past, and we will continue to leverage this experience, along with the full power of Group-IB’s technologies to detect and takedown scam resources to ensure the digital

security of companies and internet users. With this research, we hope to raise awareness in the Middle East and African region of the tricks that scammers are willing to pull, such as targeting job seekers, to steal their credentials and potentially cause them financial loss, said Sharef Hall, Head of Group-IB’s Digital Risk Protection Analytics Team, Middle East and Africa.

Credential theft scams expose victims to significant risk if they use the same combination of username/email and password for accounts on other platforms; particularly those about personal

finances, such as cryptocurrency wallets and investment portfolios. Additionally, Group-IB experts have seen cases whereby scammers utilized compromised accounts to share scams and phishing links with other users, and the threat actors can also demand money from the victim for the account’s retrieval. Companies and brands that have their likeness appropriated by scammers risk suffering reputational loss.

Group-IB urges internet users to be vigilant and always double-check the Uniform Resource Locator when following links that allegedly lead to the website of a company, particularly if those links were accessed on social media or sent via messengers. Additionally, users should enable two-factor authentication for their online accounts to provide an extra layer of security that can prevent scams such as this, and they should also, ensure that they do not use the same password for multiple accounts. We advise businesses to leverage DRP solutions to monitor for signs of brand abuse on the internet and promptly detect and block any threats that could lead to scams.