A recent phishing operation is preying on job seekers by masquerading as recruiters from well-known companies. This deceptive campaign employs fraudulent career websites and tailored emails to steal Gmail login details. The scale and sophistication of this attack distinguish it from typical phishing schemes.
Deceptive Recruitment Emails
The fraudulent activity initiates with an email that appears to be from a legitimate recruiter, promoting a job in the marketing sector. The email is personalized, addressing the recipient by name and referencing their professional background, indicating prior research by the attackers. This personalized approach enhances the email’s credibility, increasing the likelihood that recipients will engage with the content.
Upon clicking the embedded link, victims are led through a series of deceptive steps designed to appear legitimate. Cybersecurity researcher BushidoUK, who reported these findings on GitHub, noted that the campaign utilizes a sequence of genuine services to obscure its malicious intent.
Complex Phishing Workflow
The phishing emails are dispatched through PeopleForce, a real human resources and applicant tracking system. The link then traverses Salesforce Marketing Cloud before reaching Wise Agent, a real estate tool. Each transition adds a layer of legitimacy, enabling the phishing links to bypass security filters.
By the time users arrive at the final page, they have navigated multiple legitimate-looking domains. This tactic helps conceal the phishing site until users reach the last stage, where the real threat emerges. The ultimate destination is a believable fake career page, crafted to mimic the hiring portals of major corporations.
Impersonating Well-Known Brands
One notable example is a page imitating McKinsey and Company’s career section, hosted on Netlify, a common website-building platform. The phishing site employs a “Browser in the Browser” trick, displaying a fake Gmail login popup that resembles the genuine article. This fake window, complete with realistic browser elements like the address bar, can deceive even vigilant users into entering their credentials, which are then captured by the attackers.
The campaign’s breadth is evident from the array of brands being impersonated. Researchers have identified fake domains mimicking airlines like American Airlines, Delta, and United, as well as travel sites such as Booking.com. Major food and beverage companies, including Coca-Cola and PepsiCo, are also targets, along with fashion, technology, and hospitality brands.
Protecting Against Phishing Attacks
Job seekers should exercise caution with unsolicited recruiter emails, particularly those requesting login credentials during the hiring process. It is advisable to verify job openings directly through a company’s official website before clicking on email links. Remember, legitimate recruiters typically do not require access to personal email accounts for scheduling interviews.
This campaign highlights the attackers’ ability to blend authentic business tools with fraudulent destinations, making their schemes harder to detect. Staying vigilant for inconsistencies, such as unexpected domains or unusual login prompts, remains one of the most effective defenses against phishing attacks.
