Operation Dream Job, a malicious group first seen in 2020, involves threat actors spoofing job hunting sites to lure people. It resurfaced in February 2022, this time exploiting a zero-day vulnerability in Google Chrome more than a month before the flaw was detected and a patch was made available.

The Google Threat Analysis Group (TAG) released more details about the threat, including some indicators of compromise (IoCs), such as disneycareers[.]net, find-dreamjob[.]com, indeedus[.]org, varietyjob[.]com, and ziprecruiters[.]org. Building on these IoCs, WhoisXML API researchers uncovered and analyzed more than 16,000 job-related domain names added since 1 January 2022, some of which may hint at new Operation Dream Job activities.

Among our findings are:

• 15,000+ domains containing generic job-related text strings, such as “career,” “find job,” “dream job,” and “recruit”
• 700+ domains using the names of popular job-hunting sites
• 55+ of the job-related domains have been flagged “malicious” by various malware detection engines

You may download a sample of the data related to possible Operation Dream Job domains from our website.

The Anatomy of the 16,000+ Job-Related Domains

The Operation Dream Job IoCs were all registered with Namecheap and used the privacy protection service Withheld for Privacy. Taking these into account, along with the nameservers used by four of the domain IoCs (dns1[.]registrar-servers[.]com and dns2[.]registrar-servers[.]com) and their registrant country (Iceland), we found 544 connected domains that could be part of the Operation Dream Job infrastructure.

We detailed how the domains in this study were distributed across registrars and registrant countries below.

Registrar Distribution

The domain registrars were widely dispersed, with about one-third of the domains registered under GoDaddy, while the rest were distributed across 418 registrars. The chart below shows the top 10 domain registrars.

Registrant Country Distribution

The registrant countries of the domains were also varied, spread across 105 unique countries. Leading the list is the U.S., followed by Canada, Iceland, and Japan.

Most of the domains used privacy redaction services so their registrant countries could pertain to where the providers are located. While this information can’t pinpoint the origin of the threat, it can give insights that will aid in the takedown of malicious properties.

Attribution to Legitimate Employment Websites

While most of the domains were generic job-hunting domains, hundreds seem to imitate some of the most visited employment websites, such as Glassdoor, Indeed, LinkedIn, and Zip Recruit. Out of the 710 look-alike domains, only five could be publicly attributed to legitimate companies.

The table below shows some examples of the domains we found for each spoofed website.

Malicious Domains Alert

Several domains have already been flagged as malicious. Below are some examples.

Don’t Get Too Excited about Job-Hunting Sites

We took a closer look at the domains that look like legitimate employment websites by running them on Screenshot API. While many were parked, some domains may be run by individuals or entities that offer career guidance.

However, several domains offered adult services and content, and quite a few hosted content very similar to the spoofed sites. Below are some examples.

Website screenshots of indeedjobsukuae[.]com and indeedsjob[.]com

Website screenshots of afghan-linkedin[.]com and habeshalinkedin[.]com

Website screenshots of googziprecruiter[.]com and zipperrecruiter[.]com

Previous Operation Dream Job attacks showed that the threat group used employment-related cyber properties. Tracking their malicious activities entails looking into the domains they can potentially use, which can be any of the 16,000+ web properties we uncovered in this study.

While the volume can be a lot to analyze and are possibly prone to false positives, there are ways to narrow down the list of potential threats. Examining WHOIS registration and DNS connections, consulting malware detection engines, and looking at the actual content of the domain are just a few threat analysis methods.

If you are a threat researcher or cybersecurity professional interested in the job-related domains presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.