The recruitment scam is a long-established style of attack, often involving the use of web content impersonating a trusted brand and targeting job-seekers with the aim of collecting personal credentials, soliciting advance-fees or recruiting money mules.
An example of a recently reported case[1,2] concerned a successful UDRP dispute against one such scam domain, impersonating the Italian retail brand Esselunga, utilising a domain featuring an exact (second-level name) match to the targeted brand, with a new-gTLD extension (.cyou) (Figure 1).
Figure 1: Cached view of the fake site at esselunga[.]cyou (courtesy of archive.org[3]) (top) and the official site at esselunga[.]it (bottom)
The use of a new-gTLD extension is noteworthy, as many of these extensions have extensively been reported as being disproportionately associated with high rates of infringements and abuse. This popularity with bad actors arises for a range of reasons, including registration cost, requirements, and permitted use-cases, the existence and nature of IP protection programmes, and the ease of enforcement[4,5,6,7]. Other recent studies have found similar conclusions, including reports highlighting the use of extensions such as .shop, .top, .xyz[8], .buzz[9], .zip, .mov and .sbs[10]. Additionally - through the use of a domain name featuring an exact match to the name of the targeted brand - this case highlights the importance of proactive brand protection, including (potentially) the use of domain registration blocking mechanisms and defensive registrations.
In this study, I consider the prevalence of domain names containing explicit keywords ('job', 'recruit', 'apply' or 'applica*' (for 'application', 'applicant', etc.)) likely to be associated with recruitment-related content, across the largest new-gTLDs (actually those where the raw zone data-files are larger than 15 Mb in size - this covers 55 extensions in total, including several which may be particularly amenable to recruitment scams, such as .agency, .click, .digital, .group, .link, .network, .online, .page, .pro, .website, .work and .world).
In total, there are over 221,000 such domains - potentially encompassing a range of both legitimate and non-legitimate content. Looking firstly at the subset which also contain the names of any of the top ten global brands[11] yields a dataset of 111 candidate domains which may be associated with recruitment scams targeting any of these brands, of which no more than a handful appear to be under the control of the official brand owner in question. 56 of these have active MX (mail exchange) records, indicating that they have been configured to be able to send and receive e-mails and, even in the absence of any active website, could potentially be being actively used for scam activity.
As of the date of analysis, four were found to resolve to live websites of potential concern (Figure 2).
Figure 2: Examples of live websites which could potentially be associated with recruitment scam activity targeting any of the top ten global brands (domain names: amazonjob[.]vip; amazonremotejobs[.]live; amazonjobs[.]live; applejobs[.]online)
Returning to the full wider dataset, the analysis shows that there are five extensions (.bond, .today, .click, .online and .xyz) which each have over 10,000 recruitment-related domain names registered. The domains are dominated by examples containing the keyword 'job' (207,109 out of the total of 221,297) (Figure 3).
Figure 3: Numbers of recruitment-related domains by new-gTLD and by keyword
Amongst the other obvious patterns within the dataset is a prevalence of domains featuring hyphen-separated keywords and apparently-random numerical strings, which may be indicators of the use of large numbers of automated registrations used for short periods of time as parts of large coordinated campaigns. Within the dataset, 164,784 domains (out of 221,297) feature at least one hyphen, with 67,533 featuring three hyphens or more (up to a maximum of 11). 137,015 of the domains include at least one numerical digit, with a peak in numbers occurring for domains containing five digits (74,223 instances) (Figure 4).
Figure 4: Numbers of recruitment-related domains with names containing specified numbers of numerical digits
The set of domains containing five digits is dominated by the use of the .bond extension (69,444 examples), with the bulk of these also containing two (51,427) or three (17,486) hyphens. Within this subset, several groups of what appear very likely to be batches of associated registrations were identified, including numerous examples of the form [industry]-jobs-XXXXX[.]bond, job-interviews-XXXXX[.]bond, job-offer-XXXXX[.]bond and job-placement-XXXXX[.]bond. In total, there are (for example) 7,929 distinct registered domains with names of the (highly potentially relevant) form job-offer-XXXXX[.]bond. Based on inspection of a sample of these, the majority appear to resolve just to parking pages featuring pay-per-click links, but the patterns are highly suggestive of large-scale scam activity with the associated domains being monetised through affiliate revenue in the period prior to (or after) 'weaponisation' for active use. The name format is also extremely similar to that known to have been used in prior malicious campaigns, such as one used for the distribution of information-stealing malware[12], and other studies have also flagged up .bond specifically as a high-risk TLD[13,14,15] which also has obvious specific potential for use with financial bond scams[16].
References
[2] https://udrp.adr.eu/decisions/detail?id=67dbe4de4c85a91b5a04f5b6
[3] https://web.archive.org/web/20250107140746/https://www.esselunga.cyou/
[5] 'Patterns in Brand Monitoring' (D.N. Barnett, Business Expert Press, 2025), Chapter 5: 'Prioritisation criteria for specific types of content'
[6] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2
[7] 'An updated view of bad TLDs', Stobbs blog [link TBC]
[8] https://krebsonsecurity.com/2024/12/why-phishers-love-new-tlds-like-shop-top-and-xyz/
[9] https://socradar.io/top-10-tlds-threat-actors-use-for-phishing/
[10] https://www.duocircle.com/email-security/prime-tlds-targeted-by-cyber-attackers-in-2024-roundup
[11] https://interbrand.com/best-brands/
[13] https://snapshot.internetx.com/en/domain-abuse-tlds-misused/
[16] https://www.fca.org.uk/consumers/share-bond-and-boiler-room-scams
This article was first published on 16 April 2025 at:
No comments:
Post a Comment