Researchers have issued a warning about a new Google Careers phishing scam used by hackers to dupe tech workers looking for a career change.
Victims receive an 'are you open to talk?' message impersonating an outreach email from Google Careers. If they click the link, they’re taken to a landing page designed to look like a Google Careers meeting scheduler and, from there, to the phishing page.
Detailing the scam in a blog post, Sublime Security threat detection engineer Brandon Murphy said the phishing campaign has evolved rapidly in recent weeks, employing more sophisticated techniques to dupe unsuspecting victims.
"What makes this attack particularly interesting is that it is in active development,” he said. “We have observed threat actors refining and adjusting their tactics and techniques over time, evolving to evade detection."
The initial message may be sent in a number of languages, including English, Spanish, and Swedish, and purports to come from a talent recruiter or recruiting department.
It includes a Book a Call button that leads to a URL that also has a hiring-themed subdomain and Google Careers-themed root domain, although they didn't always match the sender’s domain. There are a number of different links in use, Murphy noted.
How the Google Careers scam works
In almost all cases, after clicking on the Book a Call button, the target is taken to either a real or impersonated Cloudflare Turnstile page.
After completing a Captcha, they are directed to a spoofed Google Careers meeting scheduling page, where their name, email address, and phone number are all recorded by threat actors.
After clicking save & continue, victims are taken to the password phishing phase of the attack, which features a fake login page, as seen in most Google credential phishing attacks.
While most modern credential phishing attacks typically use Adversary in the Middle (AITM) infrastructure to automate the validation and theft of credentials, this attack appears to be using a C2 server, Murphy noted.
What to look out for
With all the variations, there are certain common features of attacks. The phishing messages impersonated Google Careers, but are delivered on non-Google Careers infrastructure, and links to domains that mimic Google branding but are not a legitimate domain.
These domains are typically newly registered, with the sender and/or links within the message using domains that were registered within the past 30 days.
Similarly, there's a misalignment between claimed sender identity – Google Careers – and the actual sender domain, which varies.
As so often with phishing messages, there's a sense of urgency, with job offers coming with vague details, but requiring a call to be scheduled immediately. Messages also use flattering language but are short on the specifics.
"Adversaries will impersonate trusted sites and services to improve their chances of success," said Murphy.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- How leaders can uncover hidden tech talent
- The highest-paying tech jobs
- Phishing tactics: The top attack trends
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
