Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career change

Researchers say the scam is evolving fast, as attackers take measures to avoid detection

Emma Woollacott's avatar
By
published
in News
Job application concept image showing woman in a coffee shop updating her CV on a laptop computer.
(Image credit: Getty Images)

Researchers have issued a warning about a new Google Careers phishing scam used by hackers to dupe tech workers looking for a career change.

Victims receive an 'are you open to talk?' message impersonating an outreach email from Google Careers. If they click the link, they’re taken to a landing page designed to look like a Google Careers meeting scheduler and, from there, to the phishing page.

Detailing the scam in a blog post, Sublime Security threat detection engineer Brandon Murphy said the phishing campaign has evolved rapidly in recent weeks, employing more sophisticated techniques to dupe unsuspecting victims.

"What makes this attack particularly interesting is that it is in active development,” he said. “We have observed threat actors refining and adjusting their tactics and techniques over time, evolving to evade detection."

The initial message may be sent in a number of languages, including English, Spanish, and Swedish, and purports to come from a talent recruiter or recruiting department.

It includes a Book a Call button that leads to a URL that also has a hiring-themed subdomain and Google Careers-themed root domain, although they didn't always match the sender’s domain. There are a number of different links in use, Murphy noted.

How the Google Careers scam works

In almost all cases, after clicking on the Book a Call button, the target is taken to either a real or impersonated Cloudflare Turnstile page.

After completing a Captcha, they are directed to a spoofed Google Careers meeting scheduling page, where their name, email address, and phone number are all recorded by threat actors.

After clicking save & continue, victims are taken to the password phishing phase of the attack, which features a fake login page, as seen in most Google credential phishing attacks.

While most modern credential phishing attacks typically use Adversary in the Middle (AITM) infrastructure to automate the validation and theft of credentials, this attack appears to be using a C2 server, Murphy noted.

What to look out for

With all the variations, there are certain common features of attacks. The phishing messages impersonated Google Careers, but are delivered on non-Google Careers infrastructure, and links to domains that mimic Google branding but are not a legitimate domain.

These domains are typically newly registered, with the sender and/or links within the message using domains that were registered within the past 30 days.

Similarly, there's a misalignment between claimed sender identity – Google Careers – and the actual sender domain, which varies.

As so often with phishing messages, there's a sense of urgency, with job offers coming with vague details, but requiring a call to be scheduled immediately. Messages also use flattering language but are short on the specifics.

"Adversaries will impersonate trusted sites and services to improve their chances of success," said Murphy.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸