GBHackers

Fake Interview Phishing Campaign Impersonates Top Brands to Steal Gmail Credentials


A sophisticated interview-themed phishing campaign that impersonates major global brands to harvest Gmail credentials.

Attackers pose as recruiters offering marketing roles at well-known companies, leveraging personalized targeting and a layered redirection chain that uses legitimate platforms to mask malicious intent.

The result is a convincing lure that directs recipients to a Gmail credential prompt embedded in a fake meeting-booking flow.

The email invites the target to book an interview via a link; when clicked, the link initiates a series of redirects across trusted services before delivering the phishing landing page.

This nested-redirect technique complicates detection by both human recipients and automated filters because the initial hops occur on bona fide domains.

Investigators mapped the redirection chain and found the attack uses PeopleForce, a legitimate cloud-based HRM and applicant-tracking platform, as the origin for the emails.

The PeopleForce-sent link routes through Salesforce Marketing Cloud/ExactTarget (exct[.]net), then to Wise Agent (wiseagent[.]com), and finally resolves on a Netlify-hosted phishing site masquerading as a corporate careers portal (for example, mckinsey-careers[.]com).

The final landing page employs a Browser-in-the-Browser (BitB) style pop-up that mimics the Gmail login prompt, a visual trick that traps users into entering credentials directly into the phisher’s interface rather than a genuine Google authentication flow.

Fake Interview Phishing Campaign

The campaign’s target list is broad and strategically chosen. Impersonated brands span airlines, hospitality, consumer goods, apparel, staffing and consulting, and entertainment.

GitHub Gist Researchers said that, the campaign begins with an email crafted to look like a recruiter outreach. Messages address recipients by name and reference their actual marketing experience, indicating prior reconnaissance likely from public profiles or data-leak aggregations.

Landing page (Source : GitHub Gist).

Observed spoofed domains include airline-themed sites such as aa-careers[.]com, jobs for Booking[.]com and multiple domains for Delta and United; beverage and F&B spoofing like cocacola-meetings[.]com and pepsico-jobs[.]com; apparel and luxury brands including adidas-hiring[.]com.

Hiring-louisvuitton[.]com; staffing, consulting, and tech imitations such as jobs-adobe[.]com, manpowergroupjobs[.]com, mckinsey-careers[.]com and careers-openai[.]com; plus hospitality and marketing for Marriott and Omnicom, and entertainment targets like jobsatnetflix[.]com and numerous FIFA-themed domains.

This scope suggests the attackers aim to capture credentials from professionals whose Gmail accounts unlock additional value access to corporate communications, calendar invites (useful for social engineering), cloud storage, and password-reset capability for other services.

The campaign’s use of realistic brand language and an interview context increases the likelihood that busy professionals will comply without deep verification.

Mitigation requires both technical controls and user vigilance. Organizations should enforce multi-factor authentication (MFA) for all corporate accounts, and where possible require FIDO2 or other phishing-resistant second factors.

Email security stacks should be tuned to inspect for unusual redirection patterns and to flag messages sent via third-party HR platforms when they contain external links.

Security teams can implement DMARC, DKIM and SPF checks and monitor for brand-impersonating domains registered with similar naming conventions.

End users must be trained to verify recruiter identities through official corporate career pages or LinkedIn recruiter profiles, check URLs carefully (including the full domain), and avoid providing credentials through meeting-booking forms; genuine schedulers rarely request passwords.

Security researchers and CERTs tracking this campaign recommend blocking the identified malicious domains, reviewing PeopleForce and ExactTarget usage for unauthorized activity, and sharing Indicators of Compromise (IoCs) with partner networks.

Organizations that detect potential credential exposure should assume compromise and conduct account forensic review, rotate passwords, and enforce MFA enrollment.

The campaign underscores the enduring effectiveness of well-executed social engineering combined with technical evasions reminding defenders that trust signals can be weaponized when attackers invest in realism.

IOCs

Domain
aa-careers.com
booking-careers.com
jobs-delta.com
delta-careers.com
unitedairlines-careers.com
cocacola-meetings.com
cocacola-hr.com
thecocacola-company.com
cocacola-careerhub.com
pepsico-jobs.com
redbull-hiring.com
adidas-hiring.com
hiring-louisvuitton.com
sephora-careers.com
jobs-adobe.com
aquent-careers.netlify.app
manpowergroupjobs.com
mckinsey-careers.com
marriott-globalcareers.com
marriott-hiring.com
marriott-opportunities.com
omnicom-hiring.com
omnicom-jobs.com
fifaworldcup-jobs.com
fifa-careerportal.com
fifa-careerhub.com
fifa-talenthub.com
jobs-fifa.com
fifahr-careers.com
jobsatnetflix.com
levis-careers.com
careers-openai.com

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link