The FIN6 hacking group has been utilizing impersonation tactics to target recruiters by submitting deceptive job applications with phishing links. These links lead to sites that appear as personal resumes but are designed to deliver malware. Researchers from DomainTools reported that these domains use anonymous registration methods and sophisticated traffic filtering to ensure that only specific users can access the content, enhancing their chances of evading security measures. The actors rely on deceptive email addresses and disposable payment methods to maintain their operations while phishing recruiters effectively.
The domains are registered anonymously, and come equipped with environmental fingerprinting and behavioral checks to ensure that only the target can open the landing pages.
Combined with the use of resume-themed domain names and impersonation techniques, this registration strategy allows FIN6 to keep their infrastructure alive just long enough to carry out active phishing campaigns while avoiding rapid takedown.
Collection
[
|
...
]