Home / Industry

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job, a malicious group first seen in 2020, involves threat actors spoofing job hunting sites to lure people. It resurfaced in February 2022, this time exploiting a zero-day vulnerability in Google Chrome more than a month before the flaw was detected and a patch was made available.

The Google Threat Analysis Group (TAG) released more details about the threat, including some indicators of compromise (IoCs), such as disneycareers[.]net, find-dreamjob[.]com, indeedus[.]org, varietyjob[.]com, and ziprecruiters[.]org. Building on these IoCs, WhoisXML API researchers uncovered and analyzed more than 16,000 job-related domain names added since 1 January 2022, some of which may hint at new Operation Dream Job activities.

Among our findings are:

  • 15,000+ domains containing generic job-related text strings, such as “career,” “find job,” “dream job,” and “recruit”
  • 700+ domains using the names of popular job-hunting sites
  • 55+ of the job-related domains have been flagged “malicious” by various malware detection engines

You may download a sample of the data related to possible Operation Dream Job domains from our website.

The Anatomy of the 16,000+ Job-Related Domains

The Operation Dream Job IoCs were all registered with Namecheap and used the privacy protection service Withheld for Privacy. Taking these into account, along with the nameservers used by four of the domain IoCs (dns1[.]registrar-servers[.]com and dns2[.]registrar-servers[.]com) and their registrant country (Iceland), we found 544 connected domains that could be part of the Operation Dream Job infrastructure.

We detailed how the domains in this study were distributed across registrars and registrant countries below.

Registrar Distribution

The domain registrars were widely dispersed, with about one-third of the domains registered under GoDaddy, while the rest were distributed across 418 registrars. The chart below shows the top 10 domain registrars.

Registrant Country Distribution

The registrant countries of the domains were also varied, spread across 105 unique countries. Leading the list is the U.S., followed by Canada, Iceland, and Japan.

Most of the domains used privacy redaction services so their registrant countries could pertain to where the providers are located. While this information can’t pinpoint the origin of the threat, it can give insights that will aid in the takedown of malicious properties.

Attribution to Legitimate Employment Websites

While most of the domains were generic job-hunting domains, hundreds seem to imitate some of the most visited employment websites, such as Glassdoor, Indeed, LinkedIn, and Zip Recruit. Out of the 710 look-alike domains, only five could be publicly attributed to legitimate companies.

The table below shows some examples of the domains we found for each spoofed website.

Job-Hunting WebsiteExamples of Possible Cybersquatting Domains
Glassdoor (glassdoor[.]com)financemanagerglassdoor[.]com
glassdoor[.]com[.]pl
glassdooruk[.]com
Indeed (indeed[.]com)indeed-bio[.]com
indeeduae[.]com
indeedjobs[.]online
LinkedIn (linkedin[.]com)secretlinkedin[.]ca
linkedin2[.]tech
linkedini[.]com
Zip Recruiter (ziprecruiter[.]com)ziprecruiters[.]org
ziprecruiter[.]vegas
zipperrecruiter[.]com

Malicious Domains Alert

Several domains have already been flagged as malicious. Below are some examples.

meridianbioscience[.]careers
careercruising[.]co
ewcareer[.]co[.]uk
tnet-chibacareer[.]com
portfoliocareerplus[.]com
masterrecruitment[.]live
pinchhitterjapanrecruit[.]com
theboutiquerecruiter[.]com
recruiting-hamburg[.]com
moderators-recruitment[.]com
careers-stevemadden[.]com
careersatvalentic[.]com
lmcocareer[.]org
stoodcareer[.]com
goprocareer[.]com

Don’t Get Too Excited about Job-Hunting Sites

We took a closer look at the domains that look like legitimate employment websites by running them on Screenshot API. While many were parked, some domains may be run by individuals or entities that offer career guidance.

However, several domains offered adult services and content, and quite a few hosted content very similar to the spoofed sites. Below are some examples.

Website screenshots of indeedjobsukuae[.]com and indeedsjob[.]com

Website screenshots of afghan-linkedin[.]com and habeshalinkedin[.]com

Website screenshots of googziprecruiter[.]com and zipperrecruiter[.]com


Previous Operation Dream Job attacks showed that the threat group used employment-related cyber properties. Tracking their malicious activities entails looking into the domains they can potentially use, which can be any of the 16,000+ web properties we uncovered in this study.

While the volume can be a lot to analyze and are possibly prone to false positives, there are ways to narrow down the list of potential threats. Examining WHOIS registration and DNS connections, consulting malware detection engines, and looking at the actual content of the domain are just a few threat analysis methods.

If you are a threat researcher or cybersecurity professional interested in the job-related domains presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global