Job Phishing Campaign Targeting Meta, WhatsApp & Instagram

Summary

The recent surge in job phishing campaigns targeting major platforms like Meta, WhatsApp, and Instagram has raised significant concerns recently. By analysing newly registered domains with keywords such as hire, apply and wajob a pattern of fraudulent activity has been uncovered. These domains, which began appearing in late 2024, are part of a coordinated effort to deceive job seekers by imitating legitimate recruitment processes.

Based on the similarity of such pages it is likely to be associated with the same phishing kit with page title as Meta Pro Support: Facebook and Instagram and Meta .

Another interesting fact of this domains are being registered on Ultahost, Inc.(https://ultahost.com/) and most of the historical domains with similar patterns and live domains are hosted on IP address: 160.30.169[.]150 belongs to Cao Hoang Hai Technology Company Limited(AS152983), a less popular stub AS.

Stealing Facebook Credentials

All of the phishing sites are designed to steal credentials or personally identifiable information (PII) from victims, either through the registration page or the login page.

By utilizing the websocket, the threat actor behind this campaign can track specific victim sessions, making it easier to intercept OTP/2FA codes, which have short validity periods.

The domain under attack, spyder1279[.]blog, was registered in March of this year and is used for WebSocket communication with phishing sites. A quick passive DNS analysis of the IP address 173.46.80[.]222 reveals that two other domains(adevsoftinc[.]com & datacenterprocessing[.]com) are associated with it, likely owned by the threat actor.

Conclusion

This targeted phishing campaign represents a sophisticated and coordinated effort to exploit job seekers' trust in established platforms like Meta, WhatsApp, and Instagram. The registration of domains through a single registrar (Ultahost, Inc.) and their consistent hosting on infrastructure linked to Cao Hoang Hai Technology Company Limited (AS152983) it is likely a well-organized operation rather than disparate opportunistic campaigns.

Several key observations warrant attention from the cybersecurity community:

1. Pattern Recognition: The domain naming conventions consistently leverage trusted brand names (WhatsApp, Messenger) combined with employment-related terms (talent, career, hiring). This deliberate approach exploits the current job market anxiety and candidates' eagerness to find opportunities with prestigious companies.

2. Infrastructure Insights: The concentration of domains on a less popular stub AS and consistent use of the same registrar provides valuable indicators for detection and blocking. The shared infrastructure connecting the phishing sites to spyder1279.blog via WebSocket for real-time credential interception demonstrates technical sophistication beyond basic phishing operations.

3. Evolving Tactics: The implementation of WebSocket technology to track victim sessions and intercept time-sensitive OTP/2FA codes represents an advanced capability that significantly increases the threat actor's success rate against even security-conscious victims.

Community Note

• Implement domain blocking for the identified patterns, particularly those featuring combinations of "wa," "messenger," "apply," "hire," and "job" with recently registered domains

• Monitor for traffic to the identified command-and-control domains, especially spyder1279.blog, adevsoftinc.com, and datacenterprocessing.com for further activities or associations

This research will be updated as new information becomes available.