Group-IB, the Singapore-based cybersecurity company, yesterday published a new report detailing an ongoing new fraud campaign targeting Arabic speakers looking for jobs in the Middle East and North Africa region.
Digital risk protection experts at Group-IP’s Threat Intelligence and Research Center in Dubai, UAE, detected and analyzed more than 2,400 fake job pages impersonating companies from 13 countries within the MENA region created on social networks from January 2022 to January 2023.
On these pages, scammers impersonate more than 40 major companies in the region and post job vacancies in Arabic that offer fantastic salaries; It is a social engineering ploy aimed at getting victims to interact with the post with the aim of stealing the user’s account credentials on the social network.
In order to achieve this goal, scammers embed links to fraudulent sites through posts on the fake social media pages.
These scam sites are usually linked to phishing pages where the victim is asked to enter their credentials and password. Group-IP analysts also revealed that fraudsters often impersonate companies from Egypt, Saudi Arabia and Algeria throughout the duration of this scam campaign.
In order to investigate this fraud campaign, Group-IP analysts used the company’s digital risk protection platform, which uses artificial intelligence technology, high-resolution image analysis, and text recognition features to identify fraudulent sites.
Group-IP has a zero-tolerance policy on cybercrime. The company has blocked any of these scam pages that impersonated their customers. The privacy policy of many social networks limits access to information about the creators of individual profiles that were used in this fraudulent campaign, and the scammers’ decision to create scam and phishing pages using platforms that offer cheap or free link building services made it impossible to determine which scam pages were being used. Over 2,400 pages all created by one or more groups.
Moreover, this scam targets individuals exclusively, many of whom will not be aware that their accounts have been hacked, limiting Group-IP’s view of the scale of this campaign. Despite this, Group-IP’s digital risk protection researchers will continue to monitor this scam, and work to ensure that any page impersonating the affected companies is removed.

Eliminate fraudulent campaigns
This scam campaign was notable due to the amount of fake pages created and the large number of countries targeted. In all, the digital risk protection experts at Group-IP detected more than 2,400 pages impersonating more than 40 prominent brands in the Middle East and North Africa region.
This campaign also targeted Arabic speakers only, because all ads were published in Arabic. And companies in Egypt were the most impersonated companies by fraudsters, as Egypt accounted for 48 percent of the fake pages created on Facebook. And 23 percent of organizations and companies are in the Kingdom of Saudi Arabia, followed by Algeria with 16 percent, then Tunisia with 7 percent, then Morocco with 4 percent.
In terms of the time frame, this scam campaign was first noticed in January 2022, and peaked in August, when 609 new scam pages were created. New scam pages continue to be created daily, and in January 2023, 108 Facebook pages were discovered posting fake vacancies for companies located in the Middle East and Africa region, which is higher than the number of pages created in November and December 2022.
Group-IP researchers analyzed the fake job vacancies, and found that many of them claim to offer too good salaries for low- and medium-skilled jobs to be true and are a way to attract victims. A page impersonating a well-known oil company in Algeria also claimed to offer monthly salaries of 4,500 euros ($4,800) to drivers and painters. On other pages, more realistic salaries are advertised, with a profile posing as a Saudi dairy company stating that workers can expect to earn upwards of 3,500 Saudi riyals (about $930).
The actors in this particular campaign focused their sights on multiple sectors, however, the logistics industry was the most targeted sector, as Group-IP found that 64 percent of the fraudulent pages impersonating companies operating in this sector.
As previously noted by Group-IP, scammers targeting users in the Middle East and Africa region are especially fond of impersonating logistics organizations because of the potential high return on investment. While 20 percent of the scam pages impersonated food and beverage companies, 12 percent of them impersonated oil companies.
It also impersonated a specific company on more than 1,000 fake pages. Other major targets of this campaign were a dairy company in Saudi Arabia and an Algerian logistics company, whose trademarks were used on more than 200 and 300 pages, respectively.
Some of the pages identified in this scam also claimed to be offering jobs to individuals for the 2022 FIFA World Cup in Qatar. Late last year, Group-IP’s digital risk protection expert researchers, who have been involved in international law enforcement efforts to secure the digital space around the tournament, published their findings on the findings of their research regarding counterfeit goods, counterfeit tickets, and counterfeit job scams. Targeted at the 2022 Qatar World Cup, which included the discovery of more than 16,000 fraudulent websites.

Convincing users to subscribe to the fake campaign
The success of any fraud campaign depends on the ability of the threat actors to convincingly impersonate a company. In this scam scheme, the vast majority of the fake Facebook Pages displayed the official name of the affected brand. Most of these accounts had the word “jobs” (vacancy) in their title.
Posts on such pages are distinguished by eye-catching text, usually stating that the company in question is hiring urgently for a range of positions. Fraudsters often attempt to generate a false sense of urgency to urge victims to take action without assessing whether the opportunity they are interacting with is real or not. In this case, taking action means clicking on the scam page link in the Facebook post.
These scam pages are often very simple and only contain a “Register Now” button. Most importantly, they contain the branding of the company in question, along with a description of the jobs they claim to be advertisements. After the victim clicks the “Register Now” button, they are often redirected to a phishing page impersonating a social network such as Facebook.
If the user enters their email or phone number and password, the scammers have everything they need to access the victim’s account on the social media platform. In rare cases, scam web pages are used to redirect users to other scam pages.
In this context, Sherif Helal, Head of Risk Protection Analytics in the Middle East and North Africa region at Group-IP, said: “This fraud campaign is important because it targets individual Internet users in the Middle East and North Africa via a platform Facebook, which is a very popular social network in the region.Group-IP digital risk protection researchers have also identified fraud cases that used the same tactics and tools to attract victims previously, and we will continue to build on this experience, using Group-IP technology to detect and remove “Fraudulent websites to ensure the digital security of companies and Internet users. Through this research, we hope to raise awareness in the Middle East and Africa region of tricks that fraudsters use, such as targeting job seekers, to steal their data and potentially cause them financial loss.”
Data theft exposes victims to great risks if they use the same username and password for accounts on other platforms. Especially those related to personal financial affairs, such as: cryptocurrency portfolios and investment portfolios. In addition, Group-IP experts found cases where scammers used hacked accounts to share scam and phishing links with other users, and threat actors can also request money from the victim to recover the account. Which caused the targeted companies and brands risks related to the company’s reputation.
Group IB urges Internet users to be careful and always check the URL when following links that purport to lead to the company’s website, especially if these links are accessed on social media or sent via chat.
In addition, users must enable two-factor authentication for their online accounts to provide an additional layer of security that can prevent such frauds, and they must also ensure that they do not use the same password for multiple accounts. She advises companies to make use of DRP solutions to monitor for signs of brand abuse online and detect and block any threat that could lead to fraud immediately.