Cybersecurity firm Sublime Security said on Oct. 16, 2025 it has observed a widespread credential-phishing campaign that uses fake job offers to capture Facebook login credentials. The company published a blog post describing the activity.
Targets are typically lured with bogus postings for Social Media Manager roles and the attackers impersonate well-known brands such as KFC, Ferrari and Red Bull to increase credibility, according to the report. The emails often appear to be sent from trusted services, including Google Workspace and Microsoft 365, and the report’s author, Bryan Campbell, said the consistent email structure suggests use of a template or a large language model to scale the operation.
The scam redirects recipients through an image-based security check to a site designed to resemble a Glassdoor job listing and prompts applicants to sign in with email or Facebook. After an initial failed email login, victims are shown a counterfeit Facebook login page; when credentials are entered the site displays a loading bar that never completes while the attackers capture the information.
Researchers highlighted clear warning signs, including deceptive URLs such as the example ‘[email protected]’ that visually mimic legitimate brand links and then redirect elsewhere, and mismatches between the displayed company name or logo and the sender or reply-to addresses, which do not match the brand’s official domain. Campbell said such scams work because they “offer opportunities too enticing to pass up.”
Sublime said the Facebook-focused campaign follows a near-identical attack on Oct. 14 that impersonated Google Careers, illustrating how quickly attackers change tactics. The report did not provide estimates of the number of victims; the researchers urged caution when responding to unsolicited job offers or requests to log in to apply.