Alert Summary

Incident ID: IA-003

Vector: Typosquatting / Platform Trust Exploitation / Malware Sideloading

Risk Level: CRITICAL (Device Compromise & Data Exfiltration)

Status: ARCHIVED

This audit identifies a high-sophistication malware delivery campaign utilizing the trusted Indeed platform and Holiday Inn Express branding. The attackers leveraged a disposable domain registered less than 24 hours prior to contact, attempting to force the victim to install unauthorized software on a personal device to bypass corporate security filters.

---

Target / Method / Ultimate Goal

• Target: Job seekers on trusted aggregators (Indeed) searching for stable corporate IT/Support roles.
• Method: Security Control Circumvention. Using “Typosquatting” (impersonation via misspelled domains) and demanding the installation of a proprietary app to communicate outside of monitored platform channels.
• Ultimate Goal: Deployment of a malware payload to a personal device to harvest credentials, bypass Multi-Factor Authentication (MFA), and gain lateral access to the victim’s network.

---

VETTICA Analysis: 5 Critical Integrity Failures

1. Infrastructure Failure: Disposable Domain Forensics

• Forensic Finding: The fraudulent domain (holidayexpres.org) was registered on October 27th—the exact morning the attack was launched.
• VETTICA Verdict: CRITICAL FAILURE. A domain with an integrity lifespan of less than 24 hours is a primary indicator of a “Burner” infrastructure used exclusively for fraud.

2. IT Policy Failure: Unauthorized Sideloading

• Forensic Finding: The message mandated the installation of a third-party app from an external link for “updates.”
• VETTICA Verdict: IMMEDIATE FAILURE. Demanding that a candidate sideload software is a classic tactic to bypass secure email gateways (SEGs) and endpoint protection. No legitimate firm requires proprietary software for a preliminary interview.

3. HR Coherence Failure: Identity Disconnect

• Forensic Finding: The Indeed account (labeled “Mary Lewis”) did not match the email signature (“Oluwafemi Eluyera”).
• VETTICA Verdict: FAILURE. This lack of personnel consistency proves the operation is an automated, high-volume script lacking basic corporate accountability.

4. Digital Identity Failure: Typosquatting & TLD Abuse

• Forensic Finding: Use of holidayexpres (missing the “s”) and a .org TLD instead of the official .com.
• VETTICA Verdict: FAILURE. Typosquatting is a low-effort technical exploit designed to trick the human eye while bypassing domain reputation filters.

5. Platform Trust Failure: Indeed’s Vetting Gap

• Forensic Finding: The fraudulent listing bypassed Indeed’s initial security gates, allowing the attackers to harvest contact info before the platform could react.
• VETTICA Verdict: CRITICAL FAILURE. This represents a breach of the platform’s governance model, proving that “Platform Verified” does not equal “Secure.”

---

VETTICA Action Plan: Protect Your Professional Perimeter

• Verify Domain Longevity: If the “Company” domain was registered last week, the job doesn’t exist.
• Reject Out-of-Band Apps: Never install software to “apply” for a job. Legitimate recruitment happens via web browsers, established portals, or video conferencing tools (Zoom/Teams).
• Audit the TLD: Large hotel chains do not recruit via .org or .net domains.