Key Data 

Are you in the market for a new job? Talent scouts aren’t the only ones aggressively recruiting. Netcraft has observed a recent spike in recruitment scams, uncovering significant impact from three unique adversaries, each leveraging different tactics to target job seekers: 

• Threat actor #1 – Impersonates employers in the tech vertical using advance fee fraud (AFF) tactics 

• Threat actor #2 – Impersonates a logistics recruitment agency using similar AFF tactics: 

  • Localized scams focused on 18 geographies 

  • 63,000 people targeted in the U.S. alone 

• Threat actor #3 – Impersonates the Government of Singapore to steal victims’ personal identity number and Telegram account details 

According to the Federal Trade Commission (FTC), in 2023, more than $500m was lost to job-related fraud in the U.S., more than double the 2022 figure ($200m). It is anticipated that 2024 will beat that record. We have felt this increase across Netcraft’s business, with employees in the U.S., U.K., and Australia receiving lure messages for recruitment scams throughout the year. And we’re not alone.

Several economic and technosocial factors – greater competition, lower wages, the cost-of-living crisis, the rise of zero-hours gig work, etc. – have created an ideal climate for criminals to exploit job seekers. This is especially true for those in lower economic communities. 

This article reviews the exploits’ common components, adversary insights, the proliferation of these scams, and how to protect yourself and your employees. 

Dissecting the Scam 

Among the most common scams observed are task scams. Let’s break these down into their parts, exposing how and why they can be so effective at tricking eager targets out of time, work product, and money.  

What Are Task Scams? 

Task scams are a specific form of recruitment scam (or “job scam”), which impersonate legitimate employers or recruiters to financially exploit victims. In some cases, they may also attempt to obtain personally identifiable information (PII) for fraudulent use. These scams typically assign victims “tasks” or “projects” under the guise of legitimate work or as part of the recruitment process, often with promises of payment or a job offer upon completion. 

Task scams typically engage their targets via messaging platforms, often directing the individual to a fake website. These typically unfold quickly, completing the fraud within a few days or weeks. 

Threat actors posing as recruiters contact potential victims with offers of a job or other source of freelance income. Flexible terms and/or simple tasks (e.g., watching videos for money) are used to make these opportunities more appealing. To complete the task, users must pay an upfront fee – this is the catch. 

Once a victim has sent their payment, they can proceed to complete the assigned tasks. Victims may continue this process several times, enabling the threat actor to repeatedly extract money and free labor (which can be monetized) from the victim and increase their returns. Once the victim notices the lack of reimbursement and challenges the process, the threat actor will typically end their correspondence. 

Lure Messages 

Every scam starts with the lure. Netcraft has observed the following messaging channels used to lure victims (in order of prevalence): WhatsApp, Telegram, iMessage, RCS, and SMS.  

In many cases, threat actors will engage potential victims with two fake personas: 

• The first persona sets the trap, making an initial outreach, hooking the target into the scam 

• The second executes and extracts, providing additional details on the tasks or role they must perform 

This approach likely enables the threat actor to achieve persistence and scale while effectively managing high volumes of concurrent scams.  

Why Persistence Matters 

Phone numbers and accounts performing high-volume, outbound communications are more likely to be identified and disrupted by platform operators. By separating these “burner” personas, adversaries can prevent successful engagements from disruption mid-scam, increasing their efficacy and return on investment. 

Threat Actor Roles 

Cybercriminals mostly use manual communications for these scams, which require real phones and real humans. Splitting the workload can optimize their activities and manage resources efficiently. This aThis allows threat actors to focus on high-return activities, likely outsourcing the first outreach to other groups who provide the initial contact as a service. 

Fig. 1. Initial engagement from a threat actor posing as recruitment agency AGS.

Task Scams coerce their targets by promising flexible hours and lucrative rates. Because gig work and flexible working schedules are desirable to many job seekers, it becomes a clear opportunity for scammers looking to exploit individuals open to these job prospects. 

Inside a Job Scam – Threat Actor #1: Celadon and Softserv  

The following walkthrough illustrates the step-by-step process a threat actor used, posing as a technology company to extract funds from their victims.

The attack begins with the recipient, this example from the U.K., receiving an unsolicited WhatsApp message from a Canadian phone number and the display name “Quinn.” The adversary positions themself as a recruitment consultant from LinkedIn who has purportedly received a job application from the recipient.  

Fig. 2. First engagement via WhatsApp between threat actor #1 and their target recipient. 

The threat actor proceeds to offer part-time and full-time roles paid hourly or monthly at implausibly high rates. We can see in Fig. 3 below the switch between the first engagement persona and the second, which will provide the recipient with more details on the opportunity.  

Fig. 3. The threat actor provides high-level details of the fake job and escalates the conversation to the second persona. 

The job seeker receives a U.K. phone number (Vodafone) to message, which they must contact directly via WhatsApp. This second persona responds, impersonating legitimate employer Celadonsoft (a digital development agency) and providing more job details. The job specification outlines the type of work (app optimization) and the associated compensation (approximately 3,800USDT – cryptocurrency, Tether).  

Fig. 4.  

Fig. 5.  

Fig. 6.  

Fig. 7. 

Fig. 4 – 7. Threat actor provides more detailed information on the marketing role. 

During the exchange, there are noticeable indicators that the opportunity isn’t legitimate, including: 

• Capitalization of the company name and shortening in the image (“Celadon”); 

• Payment offered in cryptocurrency Tether (USDT); 

• Unusually high rates of pay for this type of “gig” work; 

• Imperfect use of English with grammatical quirks (e.g., “Our role in this work is program optimizer” and incorrect use of terms (e.g., “Salary”)). 

To proceed to the application, the job seeker is instructed to visit celadonsoftapp[.]vip (notice the novel TLD), set up an account using a signup code, and complete a 30-minute training course.  

Fig. 8. Login page on the fake job task site, celadonsoftapp[.]vip/login. 

The threat actor has likely included this registration layer to evade detection, hiding their activities behind the authorization page. This is a detection evasion tactic that we see used frequently in APP scams. 

When the job seeker attempts to log in using an arbitrary code, they are rejected. Again, this tactic evades security researchers analyzing the website due to the lack of direct contact with the threat actor. 

Fig. 9. Arbitrary password being rejected at celadonsoftapp[.]vip/register.

After a successful login, the fake website simulates crediting the job seeker with 10 USDT. 

Fig. 10. 10 USDT credited to the account. 

The job seeker is then invited to begin taking on projects through the following user journey: 

1. The website homepage (celadonsoftapp[.]vip/index) displays a pop-up with the message: “Receive a set of 40 apps data tasks; Profit of 0.5% per application; Activate with a 10 USDT.” (Fig 11) 

2. After clicking “View more”, the user is taken to a landing page (celadonsoftapp[.]vip/vip) featuring a list of tasks that require a deposit to be paid to activate each “VIP” level; these payments range from 10 USDT to 10,000 UDST. (Fig 12) 

3. By accessing their profile at celadonsoftapp[.]vip/my_info, the user can check their balance (the funds they have paid in and earnt), deposit a payment, withdraw funds, and more. (Fig 13) 

4. The user accesses “jobs” via celadonsoftapp[.]vip/start; these are represented by various app icons, many of which the user is likely to be able to identify. (Fig 14) 

5. If the user attempts to complete a task without sufficient funds, they are prompted to make a deposit. (Fig 15) 

Fig. 11. Website homepage with pop-up. 

Fig. 12. Task list including activation costs. 

Fig. 13. User profile. 

Fig. 14. Task selection page. 

Fig. 15. Pop-up displayed if the user has insufficient funds to complete a task. 

The step-by-step flow above shows advance fee fraud in action; after enticing victims to their phishing website with the promise of substantial remuneration, the threat actor then coerces them into making up-front payments to engage in the tasks that supposedly release that remuneration.  

The job seeker will continue to deposit sums of money while completing the tasks. However, when they come to withdraw their earnings, no deposit is made, and they are left empty-handed. What’s more, the work they carried out for the fake employer is likely benefiting the adversaries; the criminals maximize their gains while the victim loses money, time, and the resources they expend on the tasks. 

Notice the word “softserv” throughout the screenshots of the website. Softserv is another tech organization this particular threat actor impersonates. This artifact on the fake Celadon website shows how threat actors impersonate different brands while using the same or similar assets in their campaign. Rather than building a brand-specific infrastructure, they simply build once and then replicate content. 

Threat Actor #1: Website Analysis 

Netcraft identified nine platform sites similar to the above in use through 2024 by this threat actor, including: 

• celadonsoftapp[.]cc 

• Victims targeted from May 31st to November 5th  

• celadonsoftapp[.]icu 

• Victims accessed from May 30th to November 13th  

• celadonsoftapp[.]org 

• Victims accessed from May 29th to September 23rd  

Now offline 

• celadonsoftapp[.]top 

• Victims accessed from May 29th to November 13th  

• celadonsoftapp[.]vip 

• Victims accessed from May 12th to June 3rd  

• celadonsoft[.]cc 

• Victims accessed from May 13th to June 6th  

• Now offline 

• celadonsoft[.]top 

• Victims accessed from May 23rd to November 14th 

• Now offline 

• softserv[.]top 

• Victims accessed from June 21st to November 11th 

softserver[.]vip 

• Victims accessed from June 21st to October 17th 

The graph below illustrates the relatively consistent number of visitors across each website. 

Fig. 16. Graph showing visitors visiting threat actor #1 websites. 

Other characteristics of this threat actor include them using: 

• Identical design and content across all websites 

• The same server for all web addresses 

• Cloudflare to host all websites 

• Gname to host all domains 

It also appears the websites were redesigned late June 2024, taking on a more corporate appearance. 

Fig. 17. Previous design for the celadonsoftapp[.]vip/login page in late May. 

Geo-based Targeting – Threat Actor #2: Picked Well  

The second threat actor observed in our research impersonated U.S. logistics recruiter, Picked Well, with 36 sites detected in total, targeting victims in 18 countries and using each country’s native language for website content. 

The following graph shows the relative volume of traffic to sites run by this threat actor according to geography. As you can see, the U.S. leads by far, showing us that U.S. victims were either the most targeted or the most prone to falling for the scam – with 95X more visitors from the U.S. than in the UK and 170x more than Australia. 

Fig. 18. Graph showing victims targeted by geography. 

Each website targeted victims in a specific country using the native language across the website. This shows us the lengths threat actors will go to ensure the success of their campaigns, i.e., not only developing content in the native language, but luring victims specific to that region. 

• aupickedwell[.]pro 

• January 6, 2024 to July 3, 2024 

• capickedwell[.]pro 

• November 24, 2023 to February 14, 2024 

• capickedwell[.]site 

• December 5, 2023 to November 16, 2024 

• depickedwell[.]online 

• December 12, 2023 to July 19, 2024 

• depickedwell[.]pro 

• November 22, 2023 to November 16, 2024 

• depickedwell[.]site 

• January 3, 2024 to October 27, 2024 

• espickedwell[.]biz 

• January 2, 2024 to January 18, 2024

•  

• espickedwell[.]online 

• December 12, 2023 to November 15, 2024 

• espickedwell[.]pro 

• November 22, 2023 to November 13, 2024 

• espickedwell[.]site 

• January 23 2024 to January 24 2024 

• fipickedwell[.]online 

• December 28 2023 to October 19 2024 

• fipickedwell[.]pro 

• Nov 25 2023 to February 21 2024 

• fipickedwell[.]site 

• January 3 2024 to November 16 2024 

• frpickedwell[.]online 

• January 10 2024 to August 27 2024 

• frpickedwell[.]pro 

• November 28 2023 to November 13 2024 

• frpickedwell[.]top 

• November 29 2023 to February 29 2024 

• iepickedwell[.]online 

• February 8 2024 to June 5 2024 

• iepickedwell[.]pro 

• January 14 to August 22 

• inpickedwell[.]pro 

• December 6 2023 to November 17 2024 

• itpickedwell[.]online 

• December 29 2023 to November 15 2024 

• itpickedwell[.]pro 

• Nov 23 2023 to June 26 2024 

• jppickedwell[.]online 

• December 2 2023 to June 5 2024 

• jppickedwell[.]pro 

• December 2 2023 to November 17 2024 

• nlpickedwell[.]online 

• December 2 2023 to October 15 2024 

• nlpickedwell[.]pro 

• November 21 2023 to April 3 2024 

• nzpickedwell[.]pro 

• January 6 to May 24 

• plpickedwell[.]online 

• December 11 2023 to April 13 2024 

• plpickedwell[.]pro 

• November 24 2023 to November 17 2024 

• ptpickedwell[.]online 

• November 12 2023 to September 5 2024 

• ptpickedwell[.]pro 

• November 25 2023 to November 16 2024 

• sapickedwell[.]online 

• January 5 to November 5 

• sapickedwell[.]pro 

• November 21 2023 to May 16 2024 

• thpickedwell[.]pro 

• November 25 2023 to November 16 2024 

• ukpickedwell[.]online 

• December 28 2023 to November 13 2024 

• ukpickedwell[.]pro 

• November 23 2023 to October 22 2024 

• uspickedwell[.]pro 

• November 23 2023 to August 13 2024 

As in the previous section, the graph below shows the relative number of victims targeted. 

Fig. 19. Graph showing relative website traffic numbers. 

Threat Actor #3: Government of Singapore 

In our final example, Netcraft identified a threat actor attempting to access victims’ Telegram accounts to steal their identity card numbers. Unlike the task-based advance fee fraud scams, this activity focuses on capturing its victims’ identities. 

Attack Walkthrough 

The following walkthrough corresponds with the images below in Fig. 20 – 24: 

• Victim joins a fake Government of Singapore Telegram account 

• A message is posted in the group from/on behalf of the Department of Statistics in Singapore (Note typos: Singapure) 

• It’s likely that this scam is cyclical in nature, i.e., at its conclusion, the threat actor compromises the victim’s account so it can be used in future scams (Fig. 16) 

• Clicking on the link in the message sends the user through to a phishing website (singaporejobvacancy[.]bygo[.]win/fxoxsvs) with more fake job listings and the salaries for each (Fig. 17) 

• To submit their CV or view the job specifications, users must sign up by providing their identity card number and Telegram number (Fig. 18) 

• The victim enters these details 

• The website requests a verification code which has been sent to the victim’s Telegram number (Fig. 19 – 20) 

• The user enters the code into the site, thereby verifying the threat actor’s access to their Telegram account 

• Threat actor achieves full control of the victim’s account 

This compromised account is likely then used to impersonate the victim, either posting lure messages in other groups or sending them directly to the victim’s contacts. Extortion tactics may also be used. 

Fig. 20

Fig. 20

Fig. 21

Fig. 22

Fig. 23

Fig. 24

Conclusion 

Recruitment scams are on the rise, and we can expect them to increase in sophistication as new technologies such as generative AI (GenAI) are put to use. Our research shows the diversity of the tactics employed and the different ways they impact victims. 

It’s essential that job seekers become hyper-vigilant when they receive correspondence from purported recruiters and even when they search for jobs online. The scams documented in this article share similar telltale characteristics that could allow detection from thoughtful job seekers, including: 

• The user journey is unnecessarily complex 

• The user receives no facetime with the “recruiters” and most correspondence takes place via social messaging platforms, rather than typical channels such as email or on LinkedIn 

• Typos and low-quality content are prevalent 

• The jobs themselves appear too good to be true, offering implausible pay and flexible working terms  

Targets of these scams can flag junk directly through messaging platforms like WhatsApp, as well as reporting phone numbers, emails, social media accounts, and websites to Netcraft. This enables us to analyze these scams and distribute intelligence via threat feeds to tech providers, ensuring scams are disrupted at scale and prevent future attacks. 

In an already challenging job market where trust is at a low, it is increasingly important for organizations in the recruitment space (including government entities) to educate individuals and to fight threats directly. For more information on how Netcraft can help you prevent your customers falling for more of these scams, get in touch to book a demo.