Cybersecurity experts warn of fake job portals that perfectly impersonate well-known brands

The latest job scam is so sophisticated that even the most cautious can fall for it. NordVPN's threat intelligence research unit is raising awareness about a complex phishing scheme targeting job seekers that impersonates some of the world's most well-known companies. The operation uses the names of Meta (and its subsidiaries), Disney, Coca-Cola and Spotify to steal victims' Facebook credentials and take control of their accounts.

According to experts, the scammers are using hidden 'HUB' domains, referral link activation mechanisms and realistic job offer interfaces to guide victims through a carefully crafted process. In the final step, they redirect them to a fake Facebook login page designed to steal their credentials.

"Job seekers are especially vulnerable because they are willing to share personal information and follow instructions from unknown contacts," NordVPN Product Manager Domininkas Virbickas says. "These schemes exploit that trust through highly sophisticated communications and convincing fake job portals that are almost impossible to distinguish from the real thing."

The scheme begins with a cold email, often sent through legitimate services like Google AppSheet to bypass spam filters. "These messages look impeccable and professional, with no grammatical errors and a tone that mimics real recruitment communications. The contact lists are likely gathered through automated data mining from platforms like LinkedIn or originate from previous data breaches," NordVPN says.

The email link directs victims to a 'HUB' domain (such as careers.meta-findyourjob[.]com). These web pages incorporate an evasion mechanism. If someone, whether a security analyst or an automated scanner, visits the domain directly, they will only see a generic, inactive web page without any interactive functionality.

"The dangerous content is only activated when accessed via a specific referral link in the phishing email. This referral link acts as a key, granting access to a clickable 'Find a Job' button that would otherwise remain hidden," cybersecurity experts say.

Once the victim clicks on it, the button redirects them to an intermediary domain that mimics a legitimate job portal. The interface allows users to browse job postings that appear real on the impersonated brand, consolidating the feeling that they are participating in a genuine recruitment process.

When the victim clicks on 'Apply' or 'Submit Application', they trigger the trap, which takes them to a phishing page that asks asks them to log in via Facebook to continue the process. "This page is designed to steal the victim's Facebook credentials, giving hackers complete control over the account and potentially all services linked to it," NordVPN states.

Cybersecurity experts recommend protecting oneself by following these tips:

● Verify the URL before entering any credentials: Legitimate companies have their careers pages on their official domains, not on third-party sites. The same applies to requests to log in using social media. 'Log in with Facebook' buttons on real platforms will always redirect you to the official facebook.com domain. If the login page is hosted on an unfamiliar or suspicious-looking URL, it's likely a phishing attempt.

● Activate two-factor authentication (2FA) on all social media accounts: even if credentials are compromised, 2FA can prevent attackers from gaining access.

● Be wary of unsolicited job offers that arrive via email or messaging apps, especially if they pressure you to act quickly.