An emerging phishing campaign is targeting job seekers by masquerading as Google Careers recruiters, delivering seemingly legitimate emails that lead victims to malicious sites designed to harvest Gmail credentials.
Security researchers have uncovered a sophisticated multi-stage attack that leverages Salesforce infrastructure, Cloudflare protection and WebSocket command-and-control to manipulate victims into surrendering sensitive information.
The phishing emails originate from a spoofed Salesforce subdomain and use subject lines promising exclusive Google Career opportunities.
The body contains a “View the role” button linking (13.110.204.9, Salesforce ASN), which redirects recipients to a fake Google Careers application portal at apply[.]grecruitingwise[.]com (104.21.47.163, Cloudflare ASN).
Despite the Cloudflare captcha defense, the site is a front to capture personal data and login credentials.
Upon clicking, users first encounter a generic landing page requesting personal details, including full name, phone number, and residential address.
The form submits data via HTTP POST to satoshicommands[.]com, a domain linked to the attacker’s backend infrastructure. Victims are then redirected to a secondary page posing as a Google sign-in form, where they must enter their Gmail address and password.
Behind the scenes, the fraudulent portal loads a defanged version of main.js, which establishes a persistent WebSocket connection to hxxps://satoshicommands.com/ and polls the server every two seconds via AJAX calls to /gw.php.
The server issues commands—such as “EMAIL,” “AUTH,” or “SUCCESS”—to guide victims through successive stages: OTP submission, phone verification, or multi-factor authentication prompts.
Once credentials are submitted, users see a final “Processing your request” page before being silently redirected away, leaving them unaware of the compromise.
OSINT investigations reveal similar campaign instances dating back months, with victims reporting identical emails on r/programmatic Reddit threads and URLScan.io analyses confirming the same infringing domains. Additional malicious hosts discovered include:
- apply[.]grecruitdigital[.]com
- apply[.]grecruitbridge[.]com
- apply[.]gtalentmatcher[.]com
- apply[.]gstafftalent[.]com
- apply[.]grecruitpro[.]com
- gcandidatespath[.]com
- gteamhirehub[.]com
- gteamlineup[.]com
- grecruitinglink[.]com
- getintouchwithcareers[.]com
Variants deployed under Vercel app subdomains—such as puma-remotejobcenter[.]vercel[.]app, hire[.]gtalenttrack[.]com, and moburst-check[.]vercel[.]app—indicate the attackers are dynamically generating phishing sites to evade takedowns.
Organizations and individuals should remain vigilant when responding to unsolicited recruiter emails. Verification steps include:
- Inspect sender domains carefully and confirm official recruiting URLs on company career pages.
- Hover over links without clicking to validate the destination hostname.
- Never enter credentials on sites behind captchas that you did not explicitly request.
- Enable two-factor authentication on Gmail and monitor for unexpected login attempts.
Network defenders can block known malicious domains at the DNS level and deploy email-gateway solutions to flag Salesforce subdomain spoofing.
Regular threat-intelligence sharing and indicator-blocking rules—covering the domains and IPs outlined—will help mitigate this evolving threat.
As phishing tactics grow more convincing by exploiting trusted brands and robust infrastructure, cybersecurity teams must maintain layered defenses and user awareness training to stop credential-harvesting attacks at the first click.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
