Cyber Risks When Job Hunters Become the Hunted

Job hunting has largely shifted to the digital realm. People look for job postings online and submit their resumes. Employers and recruiters learn about candidates online and solicit their information via various platforms. The convenience of this process in the professional world is undeniable, but like so many other legitimate online functions, online job search platforms have also become a target and a tool for malicious actors.  

Job search and talent acquisitions platforms are vast repositories of data, an ever-attractive resource for threat actors. And threat actors can assume the guise of legitimate users to exploit both job seekers and employers. Popular sites like LinkedIn and Indeed, as well as recruiting portals companies use internally, are targeted by cybercriminals.  

What are the risks associated with using these platforms, and what can individuals and enterprises do to protect themselves?  

Platform Vulnerabilities 

Job search platforms, like any other application, are vulnerable to web exploitation. Threat actors could seek to inject code via malicious links, allowing them to steal data or gain access to administrator accounts and move laterally throughout the system. Threat actors could also target these platforms with web scraping attacks.  

Related:Why Cyber Resilience May Be More Important Than Cybersecurity

Often job search and application tracking portals are cloud-based systems with a multitude of third-party dependencies. “A lot of these systems are SaaS-based applications. And there's a whole bunch of risk that's associated with SaaS that certainly can be mitigated, but you really want to ensure that those organizations, those third parties and even forth parties, are doing the right things when it comes to securing your data,” Stephen Boyce, director of the Magnet Digital Investigation Suite at digital investigation solutions company Magnet Forensics, tells InformationWeek.  

When a company uses a talent acquisition platform, for example, hosted by a third-party vendor, potential misconfigurations open the door to vulnerabilities that could be exploited.  

Boyce also points to the question of data encryption on these platforms. “What I've seen is that once it hits the active tracking system, it's a hodgepodge in terms of the encryption that they're doing it when it comes to … the data in transit, as well as [at] rest,” he shares.  

Valuable Data 

Job search and talent acquisition platforms gather mass amounts of data on job seekers. Much of that data is publicly available, so why is it valuable?  

Shawn Waldman, CEO and founder of cybersecurity company Secure Cyber Defense, gives LinkedIn as an example. “Everything on LinkedIn is all public knowledge, but the one thing about LinkedIn is people want the username and passwords that you've used because they want to see if you've reused them,” he says.  

Related:AI Enables New Cyber Threats. Are You Ready?

Those compromised credentials could give threat actors access to other accounts with sensitive information, such as banking details. Threat actors could also mine the data stored by these platforms to create more targeted spear phishing campaigns.  

Specific industries and companies could be the focus of threat actor activity on job search and talent acquisition platforms. “You have in, some instances, job postings where they're trying to attract people in sensitive jobs to apply,” says Shawn Loveland, COO of cybersecurity company Resecurity. “So, call it state or industrial espionage.” 

Threat Actor Deception  

One of the most common vulnerabilities in these types of platforms is user trust. Cybercriminals can masquerade as legitimate users on job search portals, pretending to be hiring companies. They might take over legitimate accounts or simply create fraudulent ones.  

In 2021, the FBI issued a warning detailing fake job and employment scams used by threat actors to trick job seekers into sharing their personal information and sending money. In 2023, cybersecurity company Palo Alto Networks released details of two campaigns targeting job seekers. The campaigns, “Contagious Interview” and “Wagemole”, are associated with state-sponsored threat actors from the Democratic People’s Republic of Korea (DPRK). Palo Alto Networks notes that the motivations could be financial and in service of espionage.  

Related:The Rise of Dual Ransomware Attacks

Golden Chickens malware-as-a-service campaigns, primarily leveraged to steal financial information, have also made use of fake job offers and fake resumes, according to eSentire, a managed detection and response (MDR) company.  

Another common scheme involves posing as a recruiter or hiring manager and promising to send a job seeker expensive equipment for a new position. All you need to do is pay a few hundred dollars for shipping. Of course, the job and equipment never materialize, but the money sent for shipping is gone.  

Fake jobs aren’t the only tool in the threat actor arsenal. “They [can] flip it around and … pose as a job seeker and then they try to get the hiring manager to then click on their resume and download some malware and infect them that way,” says Joe Stewart, principal security researcher at eSentire. Clicking on a malicious link can expose hiring companies to ransomware.  

Deception on job search platforms can also bleed into the physical world. “Job search portals [are] being used as part of the human trafficking supply chain,” Loveland explains. Criminals can post listings for fake jobs in different countries, promising to fly out new hires. But once the victims arrive, they will have their passports taken and be forced into human trafficking rings.  

Whatever end threat actors hope to achieve, artificial intelligence is going to help their means to become more sophisticated. “We tell users to look for things like common misspellings and bad grammar and poor punctuation and stuff like that. AI is making it to the point where you can't even tell … that it was AI-written,” says Waldman.  

Risk Reduction 

Using any online service, especially one that stores your data, comes with a certain level of risk. “There's not a lot that [job seekers] can do about the vulnerabilities [in] the portals themselves,” says Stewart.  

What they can do is recognize that there is risk and do their best to act accordingly. “We do need to market our self as applicants, but at the same token, I think … applicants should understand that there is a potential, and a pretty high potential, that the information that they're submitting to these organizations will be compromised or mishandled at some point,” says Boyce.  

Individuals applying for jobs online should consider what information they actually need to share. Does a resume need to include your home address and personal phone number?  

“They're going to want to set up maybe an email address and phone number specifically for job search because then the criminals are going to towards that versus their normal phone number and normal email address,” Loveland recommends.  

Taking a moment to consider how people typically interact on these platforms can help users recognize red flags. “I tell people the number one thing is to slow down … because a lot of the stuff is coming so fast, and people are so busy and wanting to do two and three times [the] work and they're multitasking, and they miss a lot of the cues,” says Waldman.  

Is it likely that someone is going to offer you your dream job without a rigorous interview process? Or is it typical that a would-be employer requests that you send them money?  

“Someone comes up to you and asks you to invest in their company or comes up to you and asks you some unusual request, you would probably reject that in-person, and it's really no different online,” Jeff Bollinger, director of incident response and threat detection at LinkedIn, tells InformationWeek.  

Slowing down to consider red flags, along with basic steps like enabling multi-factor authentication and using unique passwords, can go a long way to reducing an individual user’s risk.  

Hiring companies and recruiters can also reduce the risk of threat actors using these platforms to launch malicious campaigns. They need to recognize the value of the data they are collecting and protect it accordingly. Do recruiters know how to recognize phishing lures, for example, and understand how clicking on the wrong link could impact data and internal systems?  

Waldman emphasizes the importance of cybersecurity training. “We as a company have started augmenting a lot of our user awareness training for our customers with in-person training,” he shares. “So, I really think we [as] companies and individuals need to get back to the roots and really dig into the training.” 

Enterprise teams using recruiting platforms also need to recognize the third-party risk involved. “Whether it is an in-house team or external team, really consult with them on looking at all the various different attack surfaces, understanding if the vendor is doing things like signature and behavior scanning on all files that are uploaded,” Boyce recommends.  

Job search and talent acquisition platforms themselves also have a responsibility to protect their users. LinkedIn, for example, takes a multi-layered approach to discovering and halting threat actor activity, according to Bollinger.  

“We take multiple data sets or data points and features from activity that happens on the platform. From those features, we can figure out whether or not it appears to be legitimate activity or … whether it could be inauthentic, or it could be actual attacker on the platform,” he explains.  

AI modeling and machine learning help teams at LinkedIn home in on bad actors, but the platform also has a team of people who do content review and member support. They work to detect threat actor activity and act on reports of fake or malicious profiles from users. LinkedIn also launched a verification feature, which allows users to show one another that they are who they say they are.  

As with any attacker versus defender scenario, the race is on for platforms to keep up with the cyber threats. With GenAI powering increasingly convincing text and images, spotting malicious intent is getting harder for both users and platforms, a challenge not lost on LinkedIn. User education and more sophisticated detection methods are important elements of recognizing threats, such as deep fakes.  

While the threats are becoming more sophisticated, job hunters, as well as people looking to hire, can still reduce their risk by scrutinizing their interactions on these platforms. “Use your instincts … really try to validate [who] you're talking to,” says Bollinger. “Just be realistic about what you can expect to encounter on the platform.”