The attackers used the servers of Pôle Emploi, an employment agency of the French government, to trick users into divulging their credentials.
Discovered by researchers at threat detection firm Vade, the exploit allowed hackers to hide phishing links in legitimate documents sent from legitimate government servers.
The attack was carried out through Pôle Emploi, a legitimate service of the French government that helps unemployed people find vacancies. The way the system is designed allows attackers to choose their targets carefully.
The first stage of the attack begins when the targeted company posts a legitimate job advertisement on her Pôle Emploi website. The attacker then reacts to the ad. In response, the hacker attaches her PDF file containing a resume containing malicious links.
Acting as an intermediary between job seekers and potential employers, Pôle Emploi generates emails on behalf of unemployed people and sends them to companies that advertise.
Going for the win
Hackers added a message to the malicious PDF to make the scam even more convincing. The note explains that recruiters must open the PDF to access the resume.
This message also confirms that there is a link in the PDF file. However, the real purpose of the URL is a security measure. Pôle Emploi’s settings account needs to be updated.
Following the link, victims are directed to a phishing site similar to her Pôle Emploi and are lured into entering the credentials they use to access the system.
In fact, accounts are prime targets for hackers, not recruiters. According to Vade researchers, access to the work manager’s database is a gold mine for attackers because it contains data about individual users and organizations.