Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Phishing poses as big-brand job interview to steal Google accounts

    July 6, 2026

    Vietnam arrests suspects behind HiAnime anime piracy service

    July 6, 2026

    Max severity Adobe ColdFusion flaw now exploited in attacks

    July 6, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Phishing poses as big-brand job interview to steal Google accounts
    News

    Phishing poses as big-brand job interview to steal Google accounts

    adminBy adminJuly 6, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Phishing poses as big-brand job interview to steal Google accounts

    A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals.

    The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a malicious landing page.

    To further instill trust and increase the chances of success, the threat actor is using the names and pictures of real recruiters at impersonated companies.

    image

    Will Thomas, senior advisor at cybersecurity intelligence and threat hunting company Team Cymru, analyzed the campaign and discovered that the phishing email pretends to be from “a recruiter looking to hire people for marketing roles.”

    The researcher uncovered that the threat actor is using at least 34 domains impersonating high-value companies in the following sectors:

    • Airlines and travel: American Airlines, Booking.com, Delta Air Lines, United Airlines
    • Food and beverage: Coca-Cola, PepsiCo, Red Bull
    • Apparel and luxury goods: Adidas, Louis Vuitton, Sephora, Levis
    • Staffing, consulting, and tech: Adobe, Aquent, ManpowerGroup, McKinsey & Company, OpenAI
    • Hospitality and marketing: Marriott, Omnicom Group
    • Entertainment and sports: FIFA, Netflix

    Thomas found that the campaign relies on nested redirects, a technique that routes visitors through multiple legitimate services before reaching the malicious landing page.

    The researcher noted that while the phishing emails appear to originate from PeopleForce, the underlying links resolve to the exct[.]net domain, which is operated by Salesforce following its acquisition of the ExactTarget marketing automation platform, now rebranded as Salesforce Marketing Cloud.

    ExactTarget redirects to the Wise Agent (wiseagent[.]com) cloud-based real estate Customer Relationship Management (CRM) software for agents, teams, and brokers, which forwards to the phishing landing page.

    BleepingComputer has found that the operation has been running for at least five months and initially used Outlook email addresses with the name of the impersonated company.

    One phishing email, posing as a message from Adidas recruiter Paulina Manzo, asked the recipient to schedule a conversation about a potential role at the company.

    Phishing email trying to steal Gmail password
    Phishing email trying to steal Gmail password
    source: Sergiu George

    When clicking on the link to the calendar, the recipient was redirected to the threat actor’s landing page adidas-hiring[.]com

    To continue the process for scheduling a meeting with the recruiter, the potential victim is asked to sign into their Google account.

    Fake meeting scheduling page impersonating Adidas
    Fake meeting scheduling page impersonating Adidas
    source: BleepingComputer

    Clicking on the “Continue with Google” button triggers a fake Google sign-in popup rendered inside the phishing page to impersonate Google authentication.

    Although the pop-up may appear as a legitimate browser window, it is just HTML and CSS code rendered inside the phishing page, a technique known as browser-in-the-browser (BitB).

    By using modern web development tools, the attacker can imitate all the elements of a legitimate authentication pop-up page.

    Fake Google authentication form
    Fake Google authentication form
    source: BleepingComputer

    While it is unclear how the threat actor gained access to the legitimate platforms, abusing them does not imply a compromise of the services.

    One possible avenue is creating a genuine account specifically for the campaign, or using compromised logins, which allows configuring the redirect chain and the landing page.

    A list of the domains discovered in this phishing campaign is available in Will Thomas’ analysis on GitHub.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleVietnam arrests suspects behind HiAnime anime piracy service
    admin
    • Website

    Related Posts

    News

    Vietnam arrests suspects behind HiAnime anime piracy service

    July 6, 2026
    News

    Max severity Adobe ColdFusion flaw now exploited in attacks

    July 6, 2026
    News

    Software Is Now Written at the Speed of Thought. Security Isn’t.

    July 6, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202633 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202633 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    Phishing poses as big-brand job interview to steal Google accounts

    July 6, 2026

    Vietnam arrests suspects behind HiAnime anime piracy service

    July 6, 2026

    Max severity Adobe ColdFusion flaw now exploited in attacks

    July 6, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.