Vade threat analysts have recently detected a new type of phishing campaign exploiting legitimate servers of Pôle Emploi, a career website operated by the French government.
Here are the stages of the phishing attack:
- A company, looking for applicants, publishes a legitimate job advertisement on Pôle Emploi’s website.
- The hacker responds to this advertisement on Pôle Emploi’s website.
- In the reply, the hacker attaches a PDF file of a resume, which is malicious because it contains a phishing URL.
- Pôle Emploi generates an email to the recruiting company which includes the resume of the applicant (the phishing file).
The recruiting company—if not vigilant—opens the attachment thinking it is a resume and is faced with malicious links. If they click on the links, they are redirected to a malicious form where they will be asked for their Pôle Emploi account information.
An advanced technique exploiting legitimate infrastructure
This new technique is particularly efficient because the generated email is coming from legitimate Pôle Emploi servers, a legitimate sender, and a legitimate IP address.
Pôle Emploi auto-response email
Below is the message provided by the hacker in the Pôle Emploi auto-response email:
The hacker’s message states that the recipient (the recruiting company) needs to open the attachment to access an applicant’s resume. The hacker adds that the attachment contains URLs that the recipient must open in order to update Pôle Emploi’s recruiting account and secure it.
The attachment invites the user to click on the email:
The URL redirects the victim to Google Docs, impersonating Pôle Emploi’s credential service.
Google Docs phishing form
The victim is required to fill in their credentials and phone number. After filling these forms, the user must fill in a verification code.
And a second verification code on the next page:
Google phishing form 2
Finally, the user lands on another validation page.
Google validation page
The credentials and the validation code of the Pôle Emploi’s recruiting account of the targeted company are sent to the hacker via email from Google Docs. With those credentials, the hacker can easily access the Pôle Emploi portal of the recruiting company.
Goals of the Pôle Emploi phishing attack
Most phishing attacks are designed to steal account credentials, and in this case, the damage could be significant. The Pôle Emploi portal likely contains the personal information of companies and job candidates. With this information, hackers can access sensitive company information and steal personal data, which they can later sell to other hackers. They could also launch additional attacks on users with the data stolen, including phishing and business email compromise attacks.
To learn more about these types of attacks and their impact, visit our phishing resources page.