Meta recruitment themed credential phishing

meta_phishing.md

Summary

• Phishing campaign target Facebook accounts, as well as Threads and WhatsApp
• Emails sent using a recruitment platform called recruitee.com
• Landing pages are hosted with Cloudflare and target Facebook login credentials
• The websites are built with Socket.io

Example phishing email and sender

• application[@]realitylabshiring.recruitee.com
• realitylabshiring[.]recruitee[.]com

Example Meta-themed phishing page

• recruit[.]realitylabshiring[.]com
• https://urlscan.io/search/#page.domain%3Arecruit.realitylabshiring.com

Pivoting on Page Attributes

• maximescommands[.]com
• https://urlscan.io/search/#domain%3Amaximescommands.com
• https://urlscan.io/result/01960039-67aa-73b7-b920-c67975c0e769/

Additional Domains in the Campaign

recruit.msgconnecthire.com
recruit.metaquestoccupation.com

recruit.oculusachieve.com
recruit.oculusnetworking.com
recruit.oculusproposal.com

recruit.threadsforopportunities.com
recruit.startthroughthreads.com
recruit.threadsportal.com
recruit.threadsjobsnet.com

recruit.realitylabsappoint.com
recruit.realitylabshiring.com

recruit.metacareers-projobs.com
recruit.metacareers-hr.com
hr.metacareersenroll.com

recruit.schedulewhatsapp.com
recruit.whatsappteam.com

Pivot Points via URLscan:

• https://urlscan.io/search/#domain%3A"scontent.oculuscdn.com"
• https://urlscan.io/search/#hash%3Ab63ddeaf7b765c803c4c92ab24a1d353baebe5044cbbf364733045f024c73e51
• https://urlscan.io/search/#hash%3Ab55c3ec44785f370bc6c42cd5765ffa68038649d97cf9aab294e0acd8d869cb2
• https://urlscan.io/search/#hash%3A457d1f5bb2a51ed5162e0540d8f98988ba3cdb954c9a2b91eaea76169e193576

Similar Phishing Page for Threads

• recruit[.]threadsforopportunities[.]com
• https://urlscan.io/result/f45f2695-807e-4b79-b11d-b114666aa7ff/

Sites made with Socket.io

• https://github.com/socketio/socket.io
• https://urlscan.io/search/#hash%3Aa5fad4a24b1687516ae91a3e534859d7fbe4b9b700d27be6f275ee626a515568

OSINT

• Discussions on Reddit about this campaign
• https://www.reddit.com/r/Scams/comments/1h5upo6/is_this_a_meta_recruiting_scam/

Other Recruitee Phishing Sender Domains

• From Reddit, it was possible to discover more email sender addresses Redditors received these scam emails from:

recruitingcenteratthreads.recruitee.com 
threadsrecruiting.recruitee.com
oculusmetaquest.recruitee.com
realitylabstalenthub.recruitee.com

VT Collection of the IOCs: https://www.virustotal.com/gui/collection/fc90b35cfdf4abc293f9952572e2f2acc96af580a0c9029aecc1dc2aa5646741/iocs