A sophisticated phishing campaign has emerged targeting job seekers through legitimate Zoom document-sharing features, demonstrating how cybercriminals exploit trusted platforms to harvest Gmail credentials.
The attack leverages social engineering tactics by impersonating HR departments and using authentic Zoom notifications to bypass user suspicion and traditional security measures.
The campaign begins with victims receiving legitimate-looking emails from “HR Departments via Zoom Docs” with subjects like “HR Departments invited you to view ‘VIEW DOCUMENTS’”.
These messages pass standard email authentication protocols including SPF, DKIM, and DMARC verification, making them appear completely legitimate to both users and security systems.
The attackers strategically target individuals actively job hunting, capitalizing on their eagerness to respond to potential employment opportunities.
Upon clicking the Zoom document link, victims are redirected through a carefully orchestrated chain of malicious websites.
The initial redirect leads to overflow.qyrix.com.de, where attackers have implemented a fake “bot protection” gate designed to serve dual purposes: blocking automated security analysis tools and creating an illusion of legitimacy for unsuspecting users.
Himanshu Anand, a Cyber Security Researcher, identified this campaign while analyzing suspicious emails in his inbox during a job search.
His detailed investigation revealed the sophisticated nature of the attack infrastructure and the real-time credential exfiltration mechanisms employed by the threat actors.
After users complete the fraudulent CAPTCHA verification, they are redirected to a convincing Gmail phishing page hosted on the same malicious domain.
The fake login interface closely mimics Google’s authentic sign-in portal, complete with proper branding, layout, and interactive elements that would fool even security-conscious users under normal circumstances.
Real-Time Credential Exfiltration via WebSocket
The most concerning aspect of this campaign involves the attackers’ implementation of real-time credential harvesting through WebSocket connections.
.webp)
Once victims enter their Gmail username and password on the phishing page, the stolen credentials are immediately transmitted to the attackers’ command and control server through an active WebSocket connection at overflow.qyrix.com.de/websocket/socket.io/.
This live exfiltration method provides several advantages to the cybercriminals. First, it enables immediate validation of stolen credentials against Google’s authentication systems, allowing attackers to quickly identify which accounts they can successfully compromise.
Second, the WebSocket protocol facilitates faster data transmission compared to traditional HTTP POST requests, reducing the window of opportunity for security systems to detect and block the malicious activity.
The technical implementation reveals sophisticated programming knowledge, with the phishing infrastructure configured to handle multiple concurrent sessions and maintain persistent connections with victim browsers.
Network analysis shows the WebSocket traffic contains authentication tokens and session cookies, suggesting the attackers are preparing for immediate account takeover attempts following credential theft.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
