Phishing

Hackers Are Exploiting a French Government Website to Phish Employers

Antoine Morel

September 14, 2022

8 min

Vade threat analysts have recently detected a new type of phishing campaign exploiting legitimate servers of Pôle Emploi, a career website operated by the French government.

Here are the stages of the phishing attack:

  • A company, looking for applicants, publishes a legitimate job advertisement on Pôle Emploi’s website.
  • The hacker responds to this advertisement on Pôle Emploi’s website.
  • In the reply, the hacker attaches a PDF file of a resume, which is malicious because it contains a phishing URL.
  • Pôle Emploi generates an email to the recruiting company which includes the resume of the applicant (the phishing file).

The recruiting company—if not vigilant—opens the attachment thinking it is a resume and is faced with malicious links. If they click on the links, they are redirected to a malicious form where they will be asked for their Pôle Emploi account information.

An advanced technique exploiting legitimate infrastructure

This new technique is particularly efficient because the generated email is coming from legitimate Pôle Emploi servers, a legitimate sender, and a legitimate IP address.

1-pole-emploi-phishingPôle Emploi auto-response email

Below is the message provided by the hacker in the Pôle Emploi auto-response email:

2-pole-emploi-phishing

The hacker’s message states that the recipient (the recruiting company) needs to open the attachment to access an applicant’s resume. The hacker adds that the attachment contains URLs that the recipient must open in order to update Pôle Emploi’s recruiting account and secure it.

3-pole-emploi-phishingEmail attachment

The attachment invites the user to click on the email:

4-pole-emploi-phishing

The URL redirects the victim to Google Docs, impersonating Pôle Emploi’s credential service.

5-pole-emploi-phishingGoogle Docs phishing form

The victim is required to fill in their credentials and phone number. After filling these forms, the user must fill in a verification code.

6-pole-emploi-phishingAuthentication form 

And a second verification code on the next page:

7-pole-emploi-phishingGoogle phishing form 2

Finally, the user lands on another validation page.

8-pole-emploi-phishingGoogle validation page

The credentials and the validation code of the Pôle Emploi’s recruiting account of the targeted company are sent to the hacker via email from Google Docs. With those credentials, the hacker can easily access the Pôle Emploi portal of the recruiting company.

Goals of the Pôle Emploi phishing attack

Most phishing attacks are designed to steal account credentials, and in this case, the damage could be significant. The Pôle Emploi portal likely contains the personal information of companies and job candidates. With this information, hackers can access sensitive company information and steal personal data, which they can later sell to other hackers. They could also launch additional attacks on users with the data stolen, including phishing and business email compromise attacks.

To learn more about these types of attacks and their impact, visit our phishing resources page.