Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
CISA Audits Government Code Repositories With Anthropic’s Mythos AI Tool
July 7, 2026
Microsoft Windows Secures AI Agent Workflows with Execution Containers
July 7, 2026
Home/Threats/Phishing Campaign Steals Gmail Logins via Fake Career Pages
Threats

Phishing Campaign Steals Gmail Logins via Fake Career Pages

Key Takeaways A sophisticated phishing campaign is actively targeting job seekers by impersonating recruiters from numerous well-known global brands. Attackers are leveraging legitimate HR and...

Sarah simpson
Sarah simpson
July 7, 2026 5 Min Read
3 0

Key Takeaways

  • A sophisticated phishing campaign is actively targeting job seekers by impersonating recruiters from numerous well-known global brands.
  • Attackers are leveraging legitimate HR and marketing platforms, alongside nested redirects, to bypass security filters and enhance the credibility of their malicious emails.
  • The final stage of the attack employs a “Browser in the Browser” technique, displaying a fake Gmail login pop-up on deceptive career pages to steal user credentials.
  • Over 30 major companies across various sectors, including airlines, food & beverage, fashion, tech, and entertainment, have been impersonated.

Highly Sophisticated Phishing Campaign Targets Job Seekers

A new and elaborate phishing campaign is preying on individuals actively searching for employment, utilizing highly convincing fake career portals and personalized email communications. This operation stands out not only for its extensive reach but also for the meticulous planning evident in each interaction.

Table Of Content

  • Key Takeaways
  • Highly Sophisticated Phishing Campaign Targets Job Seekers
  • Hackers Deploy Recruiter Phishing Emails and Fake Career Pages
  • Phishing Workflow and Identified Targets
  • Indicators of Compromise (IoCs):-
  • What You Should Do

The attack sequence commences with an email meticulously crafted to appear as if sent by a legitimate recruiter. These messages frequently offer marketing roles and are tailored to the recipient by name and professional field, suggesting prior reconnaissance by the attackers. This personalized approach significantly boosts the email’s perceived legitimacy, increasing the likelihood that busy professionals will engage with the malicious link.

Upon clicking the embedded link, victims are guided through a series of deceptive steps designed to mimic standard online processes. Security researcher BushidoUK, sharing findings through a GitHub post, said in a report that the campaign cleverly integrates a chain of legitimate services to mask its true malicious intent.

The initial phishing email is dispatched via PeopleForce, a legitimate human resources and applicant tracking system widely adopted by businesses. From there, the link is routed through Salesforce Marketing Cloud before being redirected to Wise Agent, a customer relationship management (CRM) tool commonly used in the real estate sector. Each subsequent redirection through these trusted services lends an air of legitimacy, helping the phishing link evade detection by email security filters.

By the time the victim arrives at the ultimate fraudulent webpage, they have traversed multiple seemingly trustworthy domains. This method of nested redirects allows the attackers to conceal their phishing site until the final moment, where the actual credential harvesting occurs.

Hackers Deploy Recruiter Phishing Emails and Fake Career Pages

The final destination in this intricate chain is a highly convincing fake career page, engineered to flawlessly replicate the hiring portals of prominent corporations. In one documented instance, the page mimicked the careers section of McKinsey & Company and was hosted on Netlify, a popular platform for web development.

What distinguishes this particular phishing page is its sophisticated use of a “Browser in the Browser” technique. Rather than redirecting the user to an authentic Gmail login page, the fraudulent site generates a simulated pop-up window that is visually identical to a genuine Gmail authentication prompt. Any user who inputs their email and password into this deceptive window is, in reality, directly surrendering their credentials to the attackers.

This technique is highly effective because the fake pop-up meticulously imitates legitimate browser elements, including the address bar, making it exceedingly difficult for even vigilant users to identify as fraudulent. Job seekers, often driven by excitement and urgency during their search, are particularly susceptible to such well-crafted deceptions, as their heightened emotional state can override usual caution.

Phishing Workflow and Identified Targets

The sheer scale of this operation becomes apparent when examining the extensive roster of brands that have been impersonated. Researchers have pinpointed numerous fraudulent career domains mimicking major airlines such as American Airlines, Delta, and United, alongside prominent travel platforms like Booking.com.

Food and beverage industry giants, including Coca-Cola, PepsiCo, and Red Bull, are also among the organizations whose identities have been co-opted. The campaign further extends into the fashion and retail sectors, with fake pages constructed to impersonate Adidas, Louis Vuitton, Sephora, and Levis.

Technology and consulting firms have not been spared, with lookalike domains referencing Adobe, OpenAI, and McKinsey. Rounding out the extensive list are hospitality and entertainment brands such as Marriott, Netflix, and FIFA. Each of these impersonated entities is associated with multiple fake career or hiring domains, all linked to the same underlying malicious infrastructure. The broad spectrum of industries targeted underscores the wide net cast by these attackers.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain peopleforce[.]io Legitimate HRM/ATS platform abused to send phishing emails
Domain exct[.]net Salesforce Marketing Cloud/ExactTarget domain used in redirect chain
Domain wiseagent[.]com Real estate CRM tool used as an intermediate redirect
Domain mckinsey-careers[.]com Final Netlify-hosted phishing page mimicking McKinsey & Company
Domain aa-careers[.]com Fake career page impersonating American Airlines
Domain booking-careers[.]com Fake career page impersonating Booking.com
Domain jobs-delta[.]com Fake career page impersonating Delta Air Lines
Domain delta-careers[.]com Fake career page impersonating Delta Air Lines
Domain unitedairlines-careers[.]com Fake career page impersonating United Airlines
Domain cocacola-meetings[.]com Fake page impersonating Coca-Cola
Domain cocacola-hr[.]com Fake page impersonating Coca-Cola
Domain thecocacola-company[.]com Fake page impersonating Coca-Cola
Domain cocacola-careerhub[.]com Fake page impersonating Coca-Cola
Domain pepsico-jobs[.]com Fake career page impersonating PepsiCo
Domain redbull-hiring[.]com Fake career page impersonating Red Bull
Domain adidas-hiring[.]com Fake career page impersonating Adidas
Domain hiring-louisvuitton[.]com Fake career page impersonating Louis Vuitton
Domain sephora-careers[.]com Fake career page impersonating Sephora
Domain levis-careers[.]com Fake career page impersonating Levis
Domain jobs-adobe[.]com Fake career page impersonating Adobe
Domain aquent-careers[.]netlify[.]app Fake career page impersonating Aquent, hosted on Netlify
Domain manpowergroupjobs[.]com Fake career page impersonating ManpowerGroup
Domain careers-openai[.]com Fake career page impersonating OpenAI
Domain marriott-globalcareers[.]com Fake career page impersonating Marriott
Domain marriott-hiring[.]com Fake career page impersonating Marriott
Domain marriott-opportunities[.]com Fake career page impersonating Marriott
Domain omnicom-hiring[.]com Fake career page impersonating Omnicom Group
Domain omnicom-jobs[.]com Fake career page impersonating Omnicom Group
Domain fifahr-careers[.]com Fake career page impersonating FIFA
Domain fifaworldcup-jobs[.]com Fake career page impersonating FIFA
Domain fifa-careerportal[.]com Fake career page impersonating FIFA
Domain fifa-careerhub[.]com Fake career page impersonating FIFA
Domain fifa-talenthub[.]com Fake career page impersonating FIFA
Domain jobs-fifa[.]com Fake career page impersonating FIFA
Domain jobsatnetflix[.]com Fake career page impersonating Netflix
URL https://urlscan.io/result/019f2485-084f-739a-bf50-3a311fd848a4/ URLScan record of the observed phishing landing page

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Verify Job Openings Directly: Always cross-reference any job offers or recruiter emails by visiting the company’s official website directly (typing the URL yourself) and confirming the opening through their legitimate careers portal. Do not rely on links provided in unsolicited emails.
  • Scrutinize Email Senders and Links: Carefully inspect the sender’s email address for any subtle discrepancies. Hover over links (without clicking) to reveal the actual URL and check for unfamiliar domains, even if the display text looks legitimate.
  • Be Wary of Login Requests: Legitimate recruiters will almost never ask for your email account password to schedule an interview or process an application. Any request for credentials during a recruitment process should be an immediate red flag.
  • Enable Multi-Factor Authentication (MFA): Implement MFA on all your online accounts, especially your email and professional networking profiles. This adds a critical layer of security, making it significantly harder for attackers to access your accounts even if they obtain your password.
  • Report Suspicious Emails: If you receive a suspicious email, report it to your email provider (e.g., Gmail’s “Report phishing” feature) and then delete it. If it purports to be from a company, consider forwarding it to their official security contact if available.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical OpenAI Codex macOS App Bug Lets Attackers Inject Indirect Prompts

Next Post

Windows 11 24H2 Backup Policy Changes Confirmed by Microsoft

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Phishing Campaign Steals Gmail Logins via Fake Career Pages
July 7, 2026
Critical OpenAI Codex macOS App Bug Lets Attackers Inject Indirect Prompts
July 7, 2026
Microsoft Teams Vulnerability Lets Attackers Install RMM Tools and EtherRAT
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us