Job Seekers Targeted by Red Bull-Inspired Phishing Scams to Steal Login Details

Cybersecurity researchers have uncovered a sophisticated phishing campaign that impersonates Red Bull recruitment efforts to steal Facebook login credentials from job seekers.

The campaign, identified by Evalian’s Security Operations Center (SOC), demonstrates how modern threat actors are evolving their tactics to bypass traditional email security measures and exploit professional networking behaviors.

Sophisticated Email Deception Bypasses Security Filters

The phishing emails begin with the enticing message “You might be a great fit for something at Red Bull…” and appear to originate from legitimate infrastructure.

However, analysis reveals the actual sender domain was messaging-service@post.xero[.]com, while the reply-to address used red.bull.crew@srbs.user0212-stripe[.]com, which has no affiliation with Red Bull.

Despite this deception, the emails successfully passed SPF, DKIM, and DMARC authentication checks, making them appear legitimate to most email filtering systems.

The campaign leverages Mailgun’s email service and the trusted domain post.xero.com to avoid spam detection, with messages originating from IP address 198.244.57.62 in Mailgun’s US infrastructure.

When recipients click the embedded link, they are directed to the Red Bull Social Media Manager apply-to-get-hired [.]com, which presents a multi-step user journey designed to harvest credentials.

The process begins with a reCAPTCHA screen, likely intended to slow automated security scanners, followed by a convincing fake job description mimicking Glassdoor’s interface.

Technical Infrastructure Reveals Broader Campaign

The final step presents victims with a fraudulent Facebook login page that closely resembles the authentic interface.

When credentials are entered, they are transmitted via a POST request to the endpoint /login_job on the remote server at IP address 38.114.120[.]167, which is hosted by a provider known for high-abuse VPS hosting.

Technical analysis revealed the campaign utilizes a distributed infrastructure across multiple domains, including variations like redbull-social-media-manager. Jobs-apply-fast [.]com and redbull. career-applynow[.]com.

The threat actors also created subdomains targeting other brands, including bot2shimeta.charliechaplin7eont[.]space and mrbeastmeta.charliechaplin7eont[.]space, indicating a broader campaign beyond Red Bull impersonation.

The phishing sites are secured with valid Let’s Encrypt TLS certificates, creating an appearance of legitimacy while hiding malicious activity behind encrypted connections.

Using JARM fingerprinting techniques, researchers identified 21 related hosts sharing similar infrastructure characteristics, suggesting this is part of a larger phishing-as-a-service operation.

This campaign highlights the evolution of phishing tactics, where attackers combine brand impersonation with legitimate email infrastructure and professional-looking interfaces to bypass security measures.

Organizations are advised to implement behavioral analysis and human-led threat hunting to identify these sophisticated campaigns that automated tools often miss.

Indicators of compromise (IOCs)