Phishing Campaign Steals Gmail Logins via Fake Career Pages
Key Takeaways A sophisticated phishing campaign is actively targeting job seekers by impersonating recruiters from numerous well-known global brands. Attackers are leveraging legitimate HR and...
Key Takeaways
- A sophisticated phishing campaign is actively targeting job seekers by impersonating recruiters from numerous well-known global brands.
- Attackers are leveraging legitimate HR and marketing platforms, alongside nested redirects, to bypass security filters and enhance the credibility of their malicious emails.
- The final stage of the attack employs a “Browser in the Browser” technique, displaying a fake Gmail login pop-up on deceptive career pages to steal user credentials.
- Over 30 major companies across various sectors, including airlines, food & beverage, fashion, tech, and entertainment, have been impersonated.
Highly Sophisticated Phishing Campaign Targets Job Seekers
A new and elaborate phishing campaign is preying on individuals actively searching for employment, utilizing highly convincing fake career portals and personalized email communications. This operation stands out not only for its extensive reach but also for the meticulous planning evident in each interaction.
Table Of Content
The attack sequence commences with an email meticulously crafted to appear as if sent by a legitimate recruiter. These messages frequently offer marketing roles and are tailored to the recipient by name and professional field, suggesting prior reconnaissance by the attackers. This personalized approach significantly boosts the email’s perceived legitimacy, increasing the likelihood that busy professionals will engage with the malicious link.
Upon clicking the embedded link, victims are guided through a series of deceptive steps designed to mimic standard online processes. Security researcher BushidoUK, sharing findings through a GitHub post, said in a report that the campaign cleverly integrates a chain of legitimate services to mask its true malicious intent.
The initial phishing email is dispatched via PeopleForce, a legitimate human resources and applicant tracking system widely adopted by businesses. From there, the link is routed through Salesforce Marketing Cloud before being redirected to Wise Agent, a customer relationship management (CRM) tool commonly used in the real estate sector. Each subsequent redirection through these trusted services lends an air of legitimacy, helping the phishing link evade detection by email security filters.
By the time the victim arrives at the ultimate fraudulent webpage, they have traversed multiple seemingly trustworthy domains. This method of nested redirects allows the attackers to conceal their phishing site until the final moment, where the actual credential harvesting occurs.
Hackers Deploy Recruiter Phishing Emails and Fake Career Pages
The final destination in this intricate chain is a highly convincing fake career page, engineered to flawlessly replicate the hiring portals of prominent corporations. In one documented instance, the page mimicked the careers section of McKinsey & Company and was hosted on Netlify, a popular platform for web development.
What distinguishes this particular phishing page is its sophisticated use of a “Browser in the Browser” technique. Rather than redirecting the user to an authentic Gmail login page, the fraudulent site generates a simulated pop-up window that is visually identical to a genuine Gmail authentication prompt. Any user who inputs their email and password into this deceptive window is, in reality, directly surrendering their credentials to the attackers.
This technique is highly effective because the fake pop-up meticulously imitates legitimate browser elements, including the address bar, making it exceedingly difficult for even vigilant users to identify as fraudulent. Job seekers, often driven by excitement and urgency during their search, are particularly susceptible to such well-crafted deceptions, as their heightened emotional state can override usual caution.
Phishing Workflow and Identified Targets
The sheer scale of this operation becomes apparent when examining the extensive roster of brands that have been impersonated. Researchers have pinpointed numerous fraudulent career domains mimicking major airlines such as American Airlines, Delta, and United, alongside prominent travel platforms like Booking.com.
Food and beverage industry giants, including Coca-Cola, PepsiCo, and Red Bull, are also among the organizations whose identities have been co-opted. The campaign further extends into the fashion and retail sectors, with fake pages constructed to impersonate Adidas, Louis Vuitton, Sephora, and Levis.
Technology and consulting firms have not been spared, with lookalike domains referencing Adobe, OpenAI, and McKinsey. Rounding out the extensive list are hospitality and entertainment brands such as Marriott, Netflix, and FIFA. Each of these impersonated entities is associated with multiple fake career or hiring domains, all linked to the same underlying malicious infrastructure. The broad spectrum of industries targeted underscores the wide net cast by these attackers.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | peopleforce[.]io | Legitimate HRM/ATS platform abused to send phishing emails |
| Domain | exct[.]net | Salesforce Marketing Cloud/ExactTarget domain used in redirect chain |
| Domain | wiseagent[.]com | Real estate CRM tool used as an intermediate redirect |
| Domain | mckinsey-careers[.]com | Final Netlify-hosted phishing page mimicking McKinsey & Company |
| Domain | aa-careers[.]com | Fake career page impersonating American Airlines |
| Domain | booking-careers[.]com | Fake career page impersonating Booking.com |
| Domain | jobs-delta[.]com | Fake career page impersonating Delta Air Lines |
| Domain | delta-careers[.]com | Fake career page impersonating Delta Air Lines |
| Domain | unitedairlines-careers[.]com | Fake career page impersonating United Airlines |
| Domain | cocacola-meetings[.]com | Fake page impersonating Coca-Cola |
| Domain | cocacola-hr[.]com | Fake page impersonating Coca-Cola |
| Domain | thecocacola-company[.]com | Fake page impersonating Coca-Cola |
| Domain | cocacola-careerhub[.]com | Fake page impersonating Coca-Cola |
| Domain | pepsico-jobs[.]com | Fake career page impersonating PepsiCo |
| Domain | redbull-hiring[.]com | Fake career page impersonating Red Bull |
| Domain | adidas-hiring[.]com | Fake career page impersonating Adidas |
| Domain | hiring-louisvuitton[.]com | Fake career page impersonating Louis Vuitton |
| Domain | sephora-careers[.]com | Fake career page impersonating Sephora |
| Domain | levis-careers[.]com | Fake career page impersonating Levis |
| Domain | jobs-adobe[.]com | Fake career page impersonating Adobe |
| Domain | aquent-careers[.]netlify[.]app | Fake career page impersonating Aquent, hosted on Netlify |
| Domain | manpowergroupjobs[.]com | Fake career page impersonating ManpowerGroup |
| Domain | careers-openai[.]com | Fake career page impersonating OpenAI |
| Domain | marriott-globalcareers[.]com | Fake career page impersonating Marriott |
| Domain | marriott-hiring[.]com | Fake career page impersonating Marriott |
| Domain | marriott-opportunities[.]com | Fake career page impersonating Marriott |
| Domain | omnicom-hiring[.]com | Fake career page impersonating Omnicom Group |
| Domain | omnicom-jobs[.]com | Fake career page impersonating Omnicom Group |
| Domain | fifahr-careers[.]com | Fake career page impersonating FIFA |
| Domain | fifaworldcup-jobs[.]com | Fake career page impersonating FIFA |
| Domain | fifa-careerportal[.]com | Fake career page impersonating FIFA |
| Domain | fifa-careerhub[.]com | Fake career page impersonating FIFA |
| Domain | fifa-talenthub[.]com | Fake career page impersonating FIFA |
| Domain | jobs-fifa[.]com | Fake career page impersonating FIFA |
| Domain | jobsatnetflix[.]com | Fake career page impersonating Netflix |
| URL | https://urlscan.io/result/019f2485-084f-739a-bf50-3a311fd848a4/ | URLScan record of the observed phishing landing page |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Verify Job Openings Directly: Always cross-reference any job offers or recruiter emails by visiting the company’s official website directly (typing the URL yourself) and confirming the opening through their legitimate careers portal. Do not rely on links provided in unsolicited emails.
- Scrutinize Email Senders and Links: Carefully inspect the sender’s email address for any subtle discrepancies. Hover over links (without clicking) to reveal the actual URL and check for unfamiliar domains, even if the display text looks legitimate.
- Be Wary of Login Requests: Legitimate recruiters will almost never ask for your email account password to schedule an interview or process an application. Any request for credentials during a recruitment process should be an immediate red flag.
- Enable Multi-Factor Authentication (MFA): Implement MFA on all your online accounts, especially your email and professional networking profiles. This adds a critical layer of security, making it significantly harder for attackers to access your accounts even if they obtain your password.
- Report Suspicious Emails: If you receive a suspicious email, report it to your email provider (e.g., Gmail’s “Report phishing” feature) and then delete it. If it purports to be from a company, consider forwarding it to their official security contact if available.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.