The job market has become a new hunting ground for cybercriminals. Instead of classic malware, they are reaching for a more sophisticated weapon: the tools that IT departments use on a daily basis for remote support. Legitimate and trusted applications thus become an attack vector, targeting the most susceptible – people actively seeking a new career path.
Modern recruitment scams have abandoned primitive methods in favour of sophisticated social engineering. Recent analysis by Proofpoint shows a growing and worrying trend. Attackers are impersonating recruiters and HR professionals from high-profile companies, creating plausible scenarios designed to lull victims’ alertness. This process is part of wider phishing campaigns that use trust as the main currency.
Anatomy of an attack: how legitimate software becomes a weapon
The scheme of operations is deceptively simple but extremely effective. The potential victim receives an email or is contacted by a supposed recruiter via platforms such as LinkedIn. The communication looks professional – often based on copied, authentic job advertisements. After an initial exchange, the candidate receives an invitation to an online interview.
It is here that the key moment of the attack occurs. Instead of a link to popular videoconferencing platforms such as Zoom, Microsoft Teams or Google Meet, the victim is prompted to download and install a small piece of software supposedly necessary to conduct the call. In reality, it is a legitimate remote management and monitoring (RMM) tool such as SimpleHelp, ScreenConnect (now ConnectWise ScreenConnect) or Atera.
These applications, used on a daily basis by IT administrators to diagnose problems or install software on company computers, give almost complete control over the system. In the hands of criminals, they become a gateway to take over the desktop, steal data, monitor activity and, ultimately, gain access to bank accounts and other confidential information.
The problem of undetectability
The main advantage of this method is its apparent legality. RMM tools are digitally signed, commercial products. Traditional anti-virus software often does not classify them as a threat, because technically they are not. They work as intended – only that the purpose of their use is criminal.
Proofpoint alerts that this tactic is becoming the preferred method for cybercriminals to gain ‘first access’ to a victim’s system. It replaces classic Trojans and keyloggers because it is more difficult to detect and does not arouse immediate suspicion. The attack can remain hidden for a long time while the criminals methodically explore the resources of the infected computer.
Scale and sophistication of operations
These attacks do not happen by chance. Criminals prepare their campaigns carefully. In order to acquire the email addresses of potential victims, they publish fake advertisements on job portals, use data from previous leaks or even take control of compromised company accounts and profiles on LinkedIn.
In one case, attackers, using a hijacked LinkedIn account, made contact with candidates and then directed them to further correspondence from a fake, albeit credible-looking, email address. Such activity blurs boundaries and builds a false sense of security. The victim is led to believe that they are participating in a legitimate recruitment process with a real company.
This problem is part of a wider trend of abuse of legitimate remote access software (RAS) that other cyber security companies are also seeing. Attackers are impersonating not only companies, but also government offices, banks or event organisers to maximise their chances of making the message credible.
How to protect yourself? Steps for jobseekers
With the rising tide of such attacks, jobseekers need to be more vigilant. It is crucial to adopt a zero-trust approach to unexpected offers.
- Source verification: When receiving a message from a recruiter, verify it through an independent channel. Instead of replying directly, it is advisable to go to the company’s official website, find the ‘Careers’ tab or contact details and make sure that such a recruitment is actually taking place. Never rely solely on the details in the message you receive.
- Email address analysis: Check the sender’s e-mail address carefully. Often scammers use domains that at first glance resemble the real one (e.g. `kariera@firma-it.co` instead of `kariera@firma-it.com`).
- Red flag: Software installation: the most important rule of thumb – no reputable company requires the installation of custom software to conduct an initial interview. The market standard is established platforms (Teams, Zoom, Meet), which typically run in the browser and do not require administrator privileges. A request to install an RMM tool should be a wake-up call to break contact immediately.
- Caution with links and attachments: Before clicking on any link, it is a good idea to hover over it to see its full destination address. Any shortened URLs and requests to download executable files (.exe) or archives (.zip) should raise suspicion.
The evolution of cyber threats shows that the human being remains the weakest link. In a stressful and hopeful situation such as a job search, it is easy to lose vigilance. That is why awareness of criminals’ new methods and healthy scepticism are the most effective line of defence today. After all, one hasty click can ruin not only the chance of a new job, but also digital security.
