Developers are being targeted in a new phishing campaign using fake CrowdStrike job offers, the security company has warned.
The firm noted that the campaign, first identified on 7 January, uses CrowdStrike’s recruitment branding to load crypto-mining malware onto the victim’s systems.
The campaign begins with phishing emails purporting to be part of a recruitment process informing victims that they have reached the interview stage for a junior developer role at CrowdStrike.
Victims are redirected to a malicious website disguised as a legitimate CrowdStrike domain, where they are prompted to install what it describes as an employee CRM application to schedule the interview.
However, the ‘CRM app’ is actually a malicious Windows executable written in Rust that loads the XMRig crypto miner onto their system.
XMRig is an open source tool used for mining cryptocurrencies such as Monero, but the tool is frequently leveraged by cybercriminals to use the computing resources of compromised machines to mine cryptocurrency on their behalf.
The miner is configured to run in the background on the target’s machine, using “minimal CPU resources to avoid detection” CrowdStrike noted.
The firm said the campaign highlights the importance of staying vigilant against phishing attacks that target jobseekers, advising developers currently in the recruitment process to verify all communications with CrowdStrike and avoid downloading “unsolicited files”.
It added that CrowdStrike does not interview potential applicants via instant message or group chat, and never asks candidates to download software for interviews.
Recruitment space is a happy hunting ground for social engineers
Phishing campaigns targeting jobseekers have become a recurring issue in the modern threat landscape, with the promise of a potential job offer often leading victims to let their guard down.
In November 2024, an investigation by Clear Sky Security highlighted one social engineering campaign using fraudulent LinkedIn identities to trick job seekers looking for a role in the highly competitive aerospace industry.
Earlier that year, in February, a group tracked as Moonstone Sleet by Microsoft was observed targeting software developers with a fake opportunity to work on a video game DeTankWar, which was actually a custom malware loader.
Commenting on the recently uncovered fake CrowdStrike campaign, Chance Caldwell, senior director of the Phishing Defense Center at Cofense, noted the focus of the campaign targeting prospects who had already applied for a role at CrowdStrike.
RELATED WHITEPAPER
"While interview and job-related phishing emails are not uncommon, this is a very targeted campaign that goes beyond the vast majority of malicious campaigns we see with this theme,” he explained.
“The campaign uses URLs that were created to look like they might actually belong to CrowdStrike and the downloaded malware provides a pop-up that directs users to the real CrowdStrike support portal."
Caldwell added that the majority of phishing campaigns Cofense observes exhibit far less sophisticated mimicry, offering potential targets advice on how to spot a malicious social engineering campaign before it’s too late.
“Most of the use cases we see are lucky to have proper branding, much less the extended work done here to really portray themselves as CrowdStrike,” he said.
“It is very unlikely that a recruiter will direct someone to download an executable as part of the interview process. Any suspicious requests, such as this one, should be sufficiently verified before downloading anything and contact information should be verified through the legitimate company website."
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
‘We’ve got some fabulous conditions’: Salesforce UK chief exec Zahra Bahrololoumi touts the country's tech industry potentialNews The UK remains a “priority market” for Salesforce, according to its regional CEO
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change thatNews CrowdStrike and Microsoft hope to "bring clarity and coordination" to the cyber industry by unifying threat group naming conventions.
-
CrowdStrike announces integration with Nvidia Enterprise AI FactoryNews Organizations can now leverage CrowdStrike protection within Nvidia Enterprise AI Factory deployments
-
CrowdStrike prepares for battle as Delta given go-ahead for outage lawsuitNews Delta Air Lines has been told it can take CrowdStrike to court to seek damages after last summer's outage forced the airline to cancel 7,000 flights.
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
