{"id":5501,"date":"2025-10-22T12:19:03","date_gmt":"2025-10-22T12:19:03","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5501"},"modified":"2025-10-22T12:19:03","modified_gmt":"2025-10-22T12:19:03","slug":"google-careers-scam-lands-job-seekers-in-credential-traps","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5501","title":{"rendered":"Google \u2018Careers\u2019 scam lands job seekers in credential traps"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Scammers have begun impersonating outreach from Google\u2019s \u201cCareers\u201d division to trick targets into giving away their credentials.<\/p>\n

According to a Sublime Security finding, the attackers are sending messages that appear to come from Google\u2019s recruiting team \u2014 asking \u201cAre you open to talk?\u201d \u2014 and take victims through a fake booking process that lands them on a spoofed login page.<\/p>\n

The scam is exploiting job seekers\u2019 attention and is using clever evasions to slip past email defenses, relying on human error more than technical breach, Sublime researchers noted in a blog post. The attack\u2019s endgame is to harvest Google account credentials and gain full access to the victim\u2019s emails, files, and cloud data.<\/p>\n

<\/a>Clever disguises and dynamic evasion<\/h2>\n

Sublime\u2019s analysis revealed the attack begins with a message impersonating Google Careers, sent in multiple languages (English, Spanish, Swedish, among others), and from varied sender addresses that mimic recruiting services. The trick continues with a \u201cBook a Call\u201d link leading to a landing page styled like Google\u2019s scheduler that leads to a standard fake Google login.<\/p>\n

The attackers used newly registered domains (apply.gcareersapplyway[.]com) and employed HTML tricks like breaking up the text \u201cGoogle Careers\u201d across multiple elements to evade scanners.<\/p>\n

\u201cWe observed an interesting evasion tactic in (these) attacks,\u201d Sublime researchers said<\/a>. \u201cThe attackers broke up the words \u2018Google Careers\u2019 with HTML formatting to evade text scanners. In one case, they put every letter of \u2018Google\u2019 into its own <label> element, effectively breaking up the word into sec labels, not one word.\u201d<\/p>\n

Within the detected set of senders, Sublime observed multiple cases of \u201cservice abuse or compromise\u201d for message delivery. Abused services included Salesforce, Recruitee, Addecco, Muckrack, etc. Attackers also incorporated a spoofed human verification step: after the \u201cBook a Call\u201d link, the victim is presented with a real or impersonated Cloudflare Turnstile<\/a> page before being redirected to the fake scheduler and ultimately to the credential-capture form.<\/p>\n

What must organizations must<\/h2>\n

Sublime observed a sophisticated backend infrastructure supporting the phishing operation. Rather than just relying on a static fake login page, the attackers used newly registered domains (like gappywave[.]com, gcareerspeople[.]com) and what appeared to be command-and-control (C2) servers such as satoshicommands[.]com to process stolen credentials.<\/p>\n

Additionally, the HTML and JavaScript of the fake pages included interactions with a \u201cgw.php\u201d file that handles backend communication, indicating a more dynamic phishing kit rather than a simple static clone page.<\/p>\n

Sublime published a list of indicators of compromise (IOCs), including WebSocket servers and a long list of landing-page domains. The cybersecurity company did not add any recommendations, but basic hygiene against the campaign could include enforcing strong multi-factor authentication (MFA), deploying identity-first defense strategies, monitoring for unusual login patterns and geographies, and training employees to treat unsolicited recruiter invitations with skepticism. While the threat actor(s) behind this campaign remain unidentified, similar attacks have been reported recently<\/a>, with one operation (Contagious Interviews<\/a>) even attributed to a North Korean APT.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Scammers have begun impersonating outreach from Google\u2019s \u201cCareers\u201d division to trick targets into giving away their credentials. According to a Sublime Security finding, the attackers are sending messages that appear to come from Google\u2019s recruiting team \u2014 asking \u201cAre you open to talk?\u201d \u2014 and take victims through a fake booking process that lands them […]<\/p>\n","protected":false},"author":0,"featured_media":5502,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5501"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5501"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5501\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5502"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}