Hackers Use Recruiter Phishing Emails and Fake Career Pages to Harvest Gmail Logins

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new phishing campaign is targeting job seekers by posing as recruiters from recognizable brands.

The scheme uses fake career pages and worded emails to trick people into handing over Gmail login credentials. What makes this campaign notable is not just its scale but the planning behind each message.

The attack begins with an email that looks like it comes from a genuine recruiter offering a marketing role. The message addresses the target by name and references their actual field of work, suggesting background research was done first.

This personal touch makes the email feel legitimate and increases the odds a busy professional clicks through.

Once the link is clicked, the victim is guided through several deceptive steps designed to look normal.

Security researcher BushidoUK, sharing findings through a GitHub post, said in a report shared with Cyber Security News (CSN) that the campaign relies on a chain of legitimate services to disguise its true intent.

The email is sent through PeopleForce, a real human resources and applicant tracking platform used by many companies.

From there, the link passes through Salesforce Marketing Cloud before bouncing to Wise Agent, a tool used in real estate. Each hop adds legitimacy that helps the phishing link slip past filters.

By the time the victim lands on the final page, they have already passed through several trusted looking domains. This nested redirect approach lets attackers keep their phishing site hidden until the last step, when the actual damage happens.

Hackers Use Recruiter Phishing Emails and Fake Career Pages

The final destination in this chain is a convincing fake career page built to resemble the hiring portal of a major company.

In one confirmed case, the page mimicked McKinsey and Company’s careers section and was hosted on Netlify, a popular platform for building websites.

What sets this phishing page apart is its use of a Browser in the Browser trick. Instead of redirecting the victim to an actual Gmail login page, the site displays a fake pop up window designed to look exactly like one.

Example Phishing Landing Page (Source – GitHub)

Anyone entering their email and password into this window is really typing credentials straight into the attacker’s hands.

This technique works because the fake pop up mimics browser elements like the address bar, making it hard to spot even for careful users. Job seekers eager to land an interview are especially vulnerable, since excitement often overrides caution during a search.

Phishing Workflow And Identified Targets

The scale of this operation becomes clear looking at the list of brands being impersonated. Researchers identified fraudulent career domains mimicking airlines including American Airlines, Delta, and United, alongside travel platforms like Booking.com.

Food and beverage giants such as Coca-Cola, PepsiCo, and Red Bull also appear among the impersonated brands.

Example Phishing Email (Source – GitHub)

The campaign extends into fashion and retail too, with fake pages built around Adidas, Louis Vuitton, Sephora, and Levis.

Technology and consulting firms have not been spared either, with lookalike domains referencing Adobe, OpenAI, and McKinsey.

Hospitality and entertainment brands round out the list, including Marriott, Netflix, and FIFA, each with multiple fake career or hiring domains tied to the same infrastructure. The variety of industries targeted suggests a wide net.

Job seekers should treat unsolicited recruiter emails with caution, especially when asked for account credentials during a scheduling step. Verifying job openings through a company’s official website before clicking any email link remains a simple way to avoid falling victim.

It is also worth remembering that legitimate recruiters rarely need a candidate’s Gmail password to schedule an interview. Any request mixing a job offer with a login prompt should be treated as a warning sign rather than routine.

As this campaign shows, attackers continue to blend real business tools with fake destinations to make schemes harder to spot. Staying alert to small inconsistencies, like unexpected domains or unusual login prompts, remains one of the best defenses users have today.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain peopleforce[.]io Legitimate HRM/ATS platform abused to send phishing emails
Domain exct[.]net Salesforce Marketing Cloud/ExactTarget domain used in redirect chain
Domain wiseagent[.]com Real estate CRM tool used as an intermediate redirect
Domain mckinsey-careers[.]com Final Netlify-hosted phishing page mimicking McKinsey & Company
Domain aa-careers[.]com Fake career page impersonating American Airlines
Domain booking-careers[.]com Fake career page impersonating Booking.com
Domain jobs-delta[.]com Fake career page impersonating Delta Air Lines
Domain delta-careers[.]com Fake career page impersonating Delta Air Lines
Domain unitedairlines-careers[.]com Fake career page impersonating United Airlines
Domain cocacola-meetings[.]com Fake page impersonating Coca-Cola
Domain cocacola-hr[.]com Fake page impersonating Coca-Cola
Domain thecocacola-company[.]com Fake page impersonating Coca-Cola
Domain cocacola-careerhub[.]com Fake page impersonating Coca-Cola
Domain pepsico-jobs[.]com Fake career page impersonating PepsiCo
Domain redbull-hiring[.]com Fake career page impersonating Red Bull
Domain adidas-hiring[.]com Fake career page impersonating Adidas
Domain hiring-louisvuitton[.]com Fake career page impersonating Louis Vuitton
Domain sephora-careers[.]com Fake career page impersonating Sephora
Domain levis-careers[.]com Fake career page impersonating Levis
Domain jobs-adobe[.]com Fake career page impersonating Adobe
Domain aquent-careers[.]netlify[.]app Fake career page impersonating Aquent, hosted on Netlify
Domain manpowergroupjobs[.]com Fake career page impersonating ManpowerGroup
Domain careers-openai[.]com Fake career page impersonating OpenAI
Domain marriott-globalcareers[.]com Fake career page impersonating Marriott
Domain marriott-hiring[.]com Fake career page impersonating Marriott
Domain marriott-opportunities[.]com Fake career page impersonating Marriott
Domain omnicom-hiring[.]com Fake career page impersonating Omnicom Group
Domain omnicom-jobs[.]com Fake career page impersonating Omnicom Group
Domain fifahr-careers[.]com Fake career page impersonating FIFA
Domain fifaworldcup-jobs[.]com Fake career page impersonating FIFA
Domain fifa-careerportal[.]com Fake career page impersonating FIFA
Domain fifa-careerhub[.]com Fake career page impersonating FIFA
Domain fifa-talenthub[.]com Fake career page impersonating FIFA
Domain jobs-fifa[.]com Fake career page impersonating FIFA
Domain jobsatnetflix[.]com Fake career page impersonating Netflix
URL https://urlscan.io/result/019f2485-084f-739a-bf50-3a311fd848a4/ URLScan record of the observed phishing landing page

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.