Phishing Campaign Impersonates Google Careers to Steal Gmail Credentials

Introduction
A sophisticated phishing campaign is actively targeting job seekers by impersonating Google Careers recruiters. The attackers aim to harvest Gmail credentials using spoofed Salesforce subdomains and Cloudflare-protected infrastructure, posing a significant threat to both personal and enterprise security.

Background
The phishing emails use enticing subject lines such as “Exclusive Google Careers Opportunity” to lure victims into clicking a “View the role” button. This redirects users to a fraudulent job application portal hosted on domains like apply[.]grecruitingwise[.]com, which are protected by Cloudflare to evade detection.

The fake portal mimics a legitimate Google Careers page and prompts users to enter personal information, including full name, phone number, and address. This data is transmitted via HTTP POST to the attacker-controlled domain satoshicommands[.]com. Victims are then redirected to a counterfeit Google login page where they are tricked into entering their Gmail credentials.

A malicious JavaScript establishes a persistent WebSocket connection to the attacker’s server, polling every two seconds for commands. This enables the attacker to guide victims through additional verification steps, including OTP or MFA prompts, effectively bypassing basic two-step authentication mechanisms. Once credentials are captured, users are redirected to a generic “Processing your request” page, leaving them unaware of the compromise.

The campaign has been active for several months, as evidenced by community reports and URLScan.io analyses. Attackers have also hosted phishing variants on Vercel app subdomains, allowing them to dynamically spin up new infrastructure and avoid takedowns. Additional phishing domains identified include apply[.]grecruitdigital[.]com, gteamhirehub[.]com, and gcandidatespath[.]com.

Mitigation Measures
To defend against this evolving phishing threat, organizations and individuals should implement the following measures:

Enforce Domain Verification: Train users to verify sender domains and avoid clicking on suspicious links.
Deploy Email Gateway Filtering: Use advanced email filters to detect and block spoofed Salesforce subdomains and suspicious URLs.
Block Malicious Infrastructure at the DNS Level: Maintain and update DNS blocklists to prevent access to known phishing domains, including those hosted on Cloudflare and Vercel.
Build Phishing Awareness: Conduct regular training to educate users on identifying themed phishing scams, including fake CAPTCHAs and credential-harvesting portals.
Mandate Multi-Factor Authentication (MFA): Enforce MFA across all corporate Gmail and Google Workspace accounts, and encourage its use for personal accounts.
Integrate Threat Intelligence Feeds: Share and update IOCs (domains, IPs, infrastructure) across security teams to enable rapid detection and response.