When a dream job is really a phishing scam
The campaign NordVPN’s Threat Intelligence research unit uncovered is a multistage phishing operation that targets people actively looking for work at some of the most desirable employers in the world. The brands being impersonated — Meta and its subsidiaries (Facebook, Instagram, WhatsApp, and Threads), Disney, Coca-Cola, and Spotify — are not chosen arbitrarily. They are chosen because their names carry instant credibility and because the prospect of working for one of them is compelling enough to make a target act.
What attackers are ultimately after is gaining control over the victim’s Facebook account. To do so, they construct a fake recruitment process designed to feel legitimate from the first cold email and a browsable job listing site right after it to a final login prompt that doubles as a credential-harvesting page — the last step in a trap that captures the victim’s credentials.
It starts with a convincing cold recruitment email
Attackers initiate contact through a cold recruitment email — unsolicited, professionally written, and sent on behalf of a brand the recipient would be more inclined to trust. The messages are detailed, with grammar and syntax carefully calibrated to mirror legitimate corporate recruitment outreach. Nothing about them, on the surface, reads as suspicious.
What makes these recruitment emails so difficult to intercept is the systems the attackers use to send them. In this specific phishing campaign, attackers abuse Google AppSheet (a legitimate platform) to distribute their messages, which allows the emails to inherit the sender reputation of a trusted service instead of an unknown or flagged domain. As a result, they can successfully bypass standard spam filters.
Potential victims are likely identified through automated scraping of professional platforms like LinkedIn or sourced from personal data lists exposed in previous breaches. If your professional email has ever been exposed, you may already be on one of these lists.
Criminals adopt stealth tactic to fool automated scanners
Every phishing email of this kind carries a link inside it, and this campaign is no different. Once the target clicks the link, they land on what our research team calls a HUB domain — an intermediate entry point that serves as the gateway to the rest of the operation. This stage is technically distinctive in how the HUB is engineered to evade detection.
If anyone visits the domain directly by typing the URL into a browser or enters it via a link without a specific parameter, the site displays a generic, inert webpage with no interactive functionality. Nothing on the site suggests malicious activity, which is intentional. The attackers deliberately adopt this approach as a stealth tactic to deceive security software and analysts attempting to access the site without knowing the activation mechanism needed to reveal the site’s true purpose.
The malicious functionality only activates when the site is accessed through a specific referral link embedded in the phishing email. That link is the trigger — without it, the “Search for a job” button simply doesn’t exist for visitors who arrive at the domain through any other means. Security analysts and automated tools that attempt to proactively crawl and flag the domain see a stripped-down version of the site with no visible malicious features. Only the intended victim, arriving via the “correct” link, sees the live version.
The fake career site that victims mistake for a legitimate hiring platform
Clicking the “Search for a job” button on the HUB domain doesn’t take the potential victim to a job application form. It redirects them to a second domain — an intermediate site that simulates a legitimate job listing site, complete with browsable positions that appear to be from the impersonated brand. The interface is designed to look and feel like a real hiring platform, and for those who have already made it this far through the process, it only reinforces the illusion that they are engaging with an actual recruitment operation.
The domains at this stage are brand specific. For Meta, our team identified domains such as plus.jobfusion-mt[.]com and official.professionlaunch-mt[.]com. Disney’s fake domains follow a consistent naming pattern built around the “wdc” prefix — a nod to Walt Disney Company — for example, jobquest.wdcfuturesteps[.]com and hirenow.wdccareersupport[.]com. Spotify and Coca-Cola operate under their own dedicated sets of domains, like connect.spotifycareerapply[.]com and careers.coca-contactnow[.]info, respectively.
The naming convention is worth paying attention to. These domains are constructed to look affiliated with the brands they impersonate, combining brand name fragments with HR-adjacent vocabulary like “recruit,” “careers,” “talent,” and “hire.” To a person who is already invested in the process, the URL may not set off any alarms.
A spoofed Facebook login prompt is where the trap closes
Browsing through job listings on the fake career site, the target eventually finds a position they want to apply for and clicks the “Apply” or “Submit application” button. However, what loads next is not a job application form. Instead, the person is redirected to a page that presents a single instruction — to log in via Facebook to proceed with the application.
The page is designed to look exactly like a legitimate Facebook authentication prompt — the kind that appears on any site using Facebook as a single sign-on (SSO) option. But the login form is not hosted on facebook.com. It is hosted on the attacker’s infrastructure, and any credentials entered are delivered directly to them.
The social login framing is what makes this final step so effective. Authenticating via a major social platform to access a third-party service is a normal and familiar experience for most internet users. A person who has navigated a convincing recruitment process, from a professional email to a functional job listing site with browsable positions, has had their trust reinforced at every stage before arriving at that final prompt. By the time the Facebook authentication screen appears, the target’s guard is down.
At that point, whatever credentials the victim enters are captured by the attackers. In practice, that means full control of the Facebook account passes directly into the wrong hands — and with it, every platform, service, and piece of personal data connected to it.
Why this phishing operation is as effective as it is dangerous
Strip away any one stage of this phishing operation and the illusion starts to crack. It’s the sum of its carefully constructed parts that makes the attack chain so difficult to detect. Each stage of the operation is designed to feel like a natural continuation of a legitimate process. No single step is jarring enough to register as shady on its own.
Attackers are also exploiting a specific psychological vulnerability. Job seekers are already primed to share personal information with unfamiliar contacts, follow multistep instructions, and extend trust to professional-looking outreach. The campaign is precisely engineered to exploit exactly that mindset.
Domininkas Virbickas, product director at NordVPN, emphasizes how attackers manipulate human behavior to their advantage:
“Job seekers are uniquely vulnerable because they’re already in a mindset of sharing personal information and following instructions from unfamiliar contacts. Such campaigns take advantage of that trust using polished communications and convincing fake career portals that are nearly indistinguishable from the real thing.”
The technical evasion built into the HUB mechanism compounds this further. By keeping the malicious infrastructure invisible to security scanners, attackers ensure that the campaign’s domains are unlikely to be flagged or blocked before a potential victim interacts with them.
How to spot and avoid recruitment phishing
Sophisticated as this phishing campaign is, the attack chain has cracks in it — and being able to spot these cracks is what keeps you on the right side of it and what separates a “nice try, but no” person from an “I can’t believe I fell for this” person.
The most glaring crack in this operation (and in phishing attacks generally) is the URL. Legitimate companies host their career pages on their own official domains. As a point of reference, Meta’s is metacareers.com, Disney’s is jobs.disneycareers.com, and Spotify’s is lifeatspotify.com. If a domain combines a brand name with unrelated vocabulary like “jobfusion,” “contactnow,” or “careerapply,” it is not an official career site. Before clicking any link in an unsolicited recruitment email, run it through NordVPN’s link checker to verify whether the destination is safe.
Any recruitment flow that asks you to authenticate via Facebook to submit a job application should be treated as a red flag. If you do encounter such a prompt, check the URL of the login page immediately — a legitimate Facebook authentication redirect will always resolve to a facebook.com domain. If it resolves to anything else, close it.
Unsolicited recruitment emails deserve scrutiny regardless of how professional they look. Cross-reference any opportunity by navigating directly to the company’s official careers page. If the role exists, it will be listed there. If it isn’t, you are looking at a fabrication. NordVPN’s scam text checker can also help identify whether outreach matches patterns associated with known phishing infrastructure.
Finally, enable two-factor authentication (2FA) on your Facebook account and every other account where it is available. If credentials are ever compromised, 2FA is the last line of defense standing between an attacker and full account access.
Online security starts with a click.
Stay safe with the world’s leading VPN
Methodology
This investigation was conducted using open-source intelligence methodology (OSINT) and a cross-referencing process designed to corroborate every finding before drawing conclusions.
Data collection was anchored in the deployment of “dorks” (advanced search strings) across both general-purpose and specialized search engines as well as platforms built for indexing domains, websites, and internet-exposed devices.
Among the latter, our team made extensive use of IoT-focused search engines and Shodan-like services, specifically Fofa.io and Shodan.io. These tools proved instrumental in pushing the investigation past domain identification, bringing exposed services, ports, potential vulnerabilities, and unintentional exposures within the campaign’s infrastructure to the surface.
The methodology was built around two objectives. The first was to construct the most complete possible picture of the digital entities involved in the operation. The second was to move past the theoretical identification of suspicious domains and verify which were actively compromised or operationally malicious.
All conclusions are grounded in verified, cross-referenced data, and the extent of the compromised infrastructure was pinned down with the greatest precision the available tooling could deliver.
