Font Size:

Careerbuilder Mystery Shopper Job Scam

posted on Thursday, December 15, 2016 in Security & Fraud Information

A new phishing scam is making its rounds. With this new scam a victim’s email account is compromised (e.g. through malware, email account takeover, or theft of their contact list and spoofing/faking of their email address) and used to send scam emails out to all of that victim’s contacts. 

Below is an example of this Phishing email:

Hello,

I am sending you an opportunity to make three hundred bucks weekly, go through the included info.

  • An attachment is included and may say something like “Employment App.pdf”.  Notice this is an attachment-based phish, and not a link-based one.  Often, the scammers will place a clean link in the body of the email that makes you think if the URL is good, the attachment must be too. Don’t trust these.
  • The attachment itself scans clean (don’t trust this – test these files with sites such as www.virustotal.com before opening), but there are many things wrong.  Check out the image below and see what you can spot is wrong:

Career builder image

Notice anything? Below are some signs to watch for:

  • The TalentNetwork image is horribly stretched to fit the left-right alignment. With today's branding standards this would not happen.
  • The text “TO PARTICIPATE IN THE SHOPPER ASSOCIATE PROGRAM” is  misaligned to the left, and is in all caps, says ‘300 USD’ which is incorrect as we’d say $300, and has a spelling error ‘QUESTIONAIRE’ (missing that second N).  It also sounds awkward. These are all red flags of a phish.
  • The lower careerbuilder image is grainy and blown up too large. The letters are stretched up-down so they are a different height compared to the top careerbuilder logo. With branding standards today most marketers would not send this out because it would not meet their company branding standards. You can tell this isn't something careerbuilder would send out.

What’s the “Click Here to Apply” button do?  In this case, it sends you to a Wordpress blog page in Brazil. Wordpress is one of the top infected platforms and is the site of choice for phishers to deploy their materials to attack you. When the top level of that Wordpress site is accessed, it’s an empty shell with template language. Another major red flag as no legitimate operator would leave their website undone and then launch an important marketing campaign.

Application Form: At this point, the scammers could have already injected malware into your computer, but in this case, they want your money instead. They provide you with a form to fill out, may ask you for your social security number and other details, and then the social engineering game begins.

What happens now?

This is when the scam phase begins. They will send you emails indicating you were approved and will begin making that 300 USD real soon, but you need to set up your bank account for direct deposit. They will also need you to send them some money as part of the “secret shopper” process. Once you’ve sent them some, they’ll social engineer reasons for them to need more, and are preying upon people being fearful of losing their initial “investment.”  

Recommendations

  • Keep spotting and flagging those phish.
  • Don’t trust strange attachments (e.g. not requested, from an unknown account, etc).  Upload them to Virustotal.com if you’re on a home PC.
  • Remember that social engineering scams are just as possible as malware injection ones.

Trusteer

Scroll to top