Researchers have issued a warning about a new Google Careers phishing scam used by hackers to dupe tech workers looking for a career change.
Victims receive an 'are you open to talk?' message impersonating an outreach email from Google Careers. If they click the link, they’re taken to a landing page designed to look like a Google Careers meeting scheduler and, from there, to the phishing page.
Detailing the scam in a blog post, Sublime Security threat detection engineer Brandon Murphy said the phishing campaign has evolved rapidly in recent weeks, employing more sophisticated techniques to dupe unsuspecting victims.
"What makes this attack particularly interesting is that it is in active development,” he said. “We have observed threat actors refining and adjusting their tactics and techniques over time, evolving to evade detection."
The initial message may be sent in a number of languages, including English, Spanish, and Swedish, and purports to come from a talent recruiter or recruiting department.
It includes a Book a Call button that leads to a URL that also has a hiring-themed subdomain and Google Careers-themed root domain, although they didn't always match the sender’s domain. There are a number of different links in use, Murphy noted.
How the Google Careers scam works
In almost all cases, after clicking on the Book a Call button, the target is taken to either a real or impersonated Cloudflare Turnstile page.
After completing a Captcha, they are directed to a spoofed Google Careers meeting scheduling page, where their name, email address, and phone number are all recorded by threat actors.
After clicking save & continue, victims are taken to the password phishing phase of the attack, which features a fake login page, as seen in most Google credential phishing attacks.
While most modern credential phishing attacks typically use Adversary in the Middle (AITM) infrastructure to automate the validation and theft of credentials, this attack appears to be using a C2 server, Murphy noted.
What to look out for
With all the variations, there are certain common features of attacks. The phishing messages impersonated Google Careers, but are delivered on non-Google Careers infrastructure, and links to domains that mimic Google branding but are not a legitimate domain.
These domains are typically newly registered, with the sender and/or links within the message using domains that were registered within the past 30 days.
Similarly, there's a misalignment between claimed sender identity – Google Careers – and the actual sender domain, which varies.
As so often with phishing messages, there's a sense of urgency, with job offers coming with vague details, but requiring a call to be scheduled immediately. Messages also use flattering language but are short on the specifics.
"Adversaries will impersonate trusted sites and services to improve their chances of success," said Murphy.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- How leaders can uncover hidden tech talent
- The highest-paying tech jobs
- Phishing tactics: The top attack trends
-
Channel leaders: Complexity is an opportunityNews Complexity, customer expectations, and competitive pressure are converging rapidly. Partners must invest in AI and automation now for both strategic and survival reasons, argue channel leaders
-
Disability pride in IT: How leaders can better understand workersDisability pride is a burgeoning movement in the tech sector – and one that should be embraced by leadership
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
26 million CVs were exposed when a recruiting software firm left a misconfigured Azure container open – cybersecurity experts warn it's an easy mistake that's becoming far too commonNews TalentHook left a misconfigured Azure Blob storage container open, researchers said, leaving jobseekers open to phishing attempts
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizations
News A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
