Attackers are using freelance job sites such as fiverr and Freelancer to distribute malware disguised as job offers. These job offers contain attachments that pretends to be the job brief, but are actually installers for keyloggers such as Agent Tesla or Remote Access Trojan (RATs).
For example, in the screenshot below you can see an attacker creating a fake job offer with the "my details.doc" attachment and sending it to a freelancer.
According to MalwareHunterTeam, this type of attack is being used on both Fiverr and Freelancer, where he has seen victims open the malicious document attached to the job offers and become infected.
Saw an NG actor using @fiverr to spread.— MalwareHunterTeam (@malwrhunterteam) September 21, 2018
And in this case, the poor girl opened the doc...
People, if you are opening files from random people, at least have an AV installed. And of course, don't enable macros... pic.twitter.com/nfC3ahmMUj
As job briefs are commonly sent as attachments, to the targets they look like legitimate job offers as seen below.
Not only are victims opening the attachments and getting infected, but some of them are asking for support when they have problems opening the document.
For example, a user responded to the attacker stating that they were unable to open it on their mobile device and the attacker responds that they need to open it on their PC.
Another victim was having trouble opening the document and the attacker is trying to support them in getting it opened.
This goes to show you that attackers are not only using innovative ways to distribute malware, but also going the extra mile to support their victims who have trouble getting infected on their own. As always, it is important to have a updated antivirus solution installed on your computer and to always scan attachments before opening them.