Google Careers impersonation credential phishing scam with endless variation

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Google Workspace, Microsoft 365

ATTACK TYPE: Credential Phishing

Recently, we’ve been detecting variations of a scam that uses a Google Careers impersonation to phish credentials. The scam is simple. An adversary sends an “are you open to talk?” message impersonating an outreach email from Google Careers. If the target clicks the link, they’re taken to a landing page designed to look like a Google Careers meeting scheduler. From there, they’re taken to the phishing page.

What makes this attack particularly interesting is that it is in active development. We have observed threat actors refining and adjusting their tactics and techniques over time, evolving to evade detection. In this post, we’ll take a look at the attack and its variants.

The message

This attack begins with a message impersonating a Google Careers outreach about a job opening:

Language variation

Most noticeably, the attack was sent across multiple languages. The majority were English, but there were also Spanish, Swedish, and many other variants:

Sender variation

The message comes from an impersonated talent recruiter or recruiting department. Here are some examples:

• GG Careers <hire@googleadjobhub[.]com>
• GG Careers <workforce@ggcareerslookup[.]com>
• G/ Employment <gemployment@jobnimbusmail[.]com>
• Gonçalo Santos - Talent Partner <goncalo.santos@feedzai[.]com>

Within that set of senders, we also saw multiple cases of service abuse or compromise for message delivery. Abused services included Salesforce, Recruitee, Addecco, Muckrack, and more.

Payload link variation

The Book a Call button leads to a URL that also has a hiring-themed subdomain and Google Careers-themed root domain, although they did not always match the sender’s domain. Here are examples of some of the malicious links:

• apply.gcareersapplyway[.]com
• hire.gteamshiftline[.]com
• hire.gteamjobpath[.]com
• hire.gteamcareers[.]com
• recruit.gcareerspeople[.]com
• recruit.gcareerscrewfind[.]com
• recruit.gcareerscandidatelink[.]com
• schedule.ggcareerslaunch[.]com

We observed that the domains were all recently registered, and mostly through NiceNIC. Some were also registered through Porkbun.

HTML word padding evasions

We observed an interesting evasion tactic in later attacks. In the cases, the attackers broke up the words “Google Careers” with HTML formatting to evade text scanners.

In one case, they put every letter of “Google” into its own <label> element, effectively breaking up the word into six labels, not one word:

In another, the attacker did similar formatting using <p> elements:

Two analyses prevent this evasion from being effective against Sublime:

• Sublime strips out the HTML wrappers during text analysis. The above examples render as GoogleCareers and G o o g l e Career, respectively.
• Sublime takes a screenshot of messages and applies Optical Character Recognition (OCR), seeing what the end user sees (and ignoring hidden characters).

The payload workflow

In almost all cases, after clicking on the Book a Call button, the target is taken to either a real or impersonated Cloudflare Turnstile page:

After confirming human status, they are then taken to a spoofed Google Careers meeting scheduling page. Here, there name, email, and phone number are all phished.

After clicking Save & continue, they are taken to the password phishing phase of the attack. It is a standard fake login page as seen in most Google credential phishing attacks:

Indicators of C2 infrastructure

Modern credential phishing attacks typically use Adversary in the Middle (AITM) infrastructure to automate the validation and theft of credentials. In the case of this attack, though, it appears to be using a C2 server.

We saw a few variants of C2 implementations. Below is one we saw that used satoshicommands[.]com and shows indications of iteration. We’ve included comments to explain the code inline as necessary.

The C2 connection starts when the user visits the “Schedule a Meeting” page.  The HTML includes the below snippet which sets up the variables used by the C2 server:

The following JS code was the response body for https://apply.gcareerhub[.]com/assets/js/main.js?v=24. Here are the relevant components of the .js file:

This back and forth between the browser and gw.php is indicative of backend processing by the threat actor while stepping the target through the phishing kit.

Personal address filtering

Another interesting artifact we noticed in some attacks was the filtering out of non-business emails. Below is a code snippet used to filter and the response from the form:

‍

IOCs

Here is a non-exhaustive list of Indicators of Compromise (IOCs) from a selection of attacks.

Websocket servers

satoshicommands[.]com
ggcommands[.]com

Landing page domains

gapplicantapp[.]com
gapplicantbase[.]com
gapplicantcenter[.]com
gapplicantfinder[.]com
gapplicanthub[.]com
gapplicantjobmarket[.]com
gapplicantjobportal[.]com
gapplicantjobs[.]com
gapplicantlink[.]com
gapplicantopportunity[.]com
gapplicantpositions[.]com
gapplicantpro[.]com
gapplicantprofile[.]com
gapplicantroles[.]com
gapplyconnect[.]com
gapplyrole[.]com
gapplywave[.]com
gartenservice[.]ch
gcandidatesapply[.]com
gcandidatesconnect[.]com
gcandidatesglobal[.]com
gcandidateshire[.]com
gcandidateshrdesk[.]com
gcandidateshub[.]com
gcandidatesjobs[.]com
gcandidatesjobseek[.]com
gcandidatesmatch[.]com
gcandidatesnetwork[.]com
gcandidatesopportunity[.]com
gcandidatespath[.]com
gcandidatesroles[.]com
gcandidateswork[.]com
gcareerconnects[.]com
gcareerenroll[.]com
gcareerjobportal[.]com
gcareeropportunities[.]com
gcareerpartners[.]com
gcareerprogress[.]com
gcareerrecruitment[.]com
gcareersapply[.]com
gcareersapplyit[.]com
gcareersboost[.]com
gcareerscheck[.]com
gcareersconnect-portal[.]com
gcareerscrewzone[.]com
gcareersentryhub[.]com
gcareersfill[.]com
gcareersgenius[.]com
gcareershiringform[.]com
gcareershiringtrack[.]com
gcareershunt[.]com
gcareersinsight[.]com
gcareersjobchannel[.]com
gcareersjobfinderhub[.]com
gcareersjobhub[.]com
gcareersjobline[.]com
gcareersjobway[.]com
gcareersopenmatch[.]com
gcareerspeople[.]com
gcareersplace[.]com
gcareersportal[.]com
gcareerspositioning[.]com
gcareerspositionline[.]com
gcareersquickhire[.]com
gcareersrolebook[.]com
gcareersrolepulse[.]com
gcareersshifted[.]com
gcareerssolutions[.]com
gcareersstrategy[.]com
gcareerstalent[.]com
gcareersvacancies[.]com
gcareersvacancypath[.]com
gcareersworld[.]com
gcareerteam[.]com
gcareertrack[.]com
gemployhub[.]com
gemployjobs[.]com
getworkforce[.]pro
ghireflow[.]com
ghiringcall[.]com
ghiringcrew[.]com
ghiringdesk[.]com
ghiringform[.]com
ghiringlineup[.]com
ghiringnow[.]com
ghiringpro[.]com
ghiringsearch[.]com
ghiringzone[.]com
gjobsboard[.]com
gjobshirehub[.]com
gjobshub[.]com
gjobsmatch[.]com
gjobspost[.]com
gjobsreach[.]com
gjobsstaffing[.]com
gjobsworld[.]com
gofoundation[.]org[.]au
grarate[.]com
grecruitagency[.]com
grecruitapplicants[.]com
grecruitbridge[.]com
grecruitcrew[.]com
grecruitdesk[.]com
grecruitdigital[.]com
grecruitflow[.]com
grecruitfocus[.]com
grecruithire[.]com
grecruithr[.]com
grecruiting[.]com
grecruitingapplications[.]com
grecruitingbase[.]com
grecruitingbridge[.]com
grecruitingconnect[.]com
grecruitingflow[.]com
grecruitinggrowth[.]com
grecruitinghire[.]com
grecruitinghr[.]com
grecruitinghrtech[.]com
grecruitinghub[.]com
grecruitinginsight[.]com
grecruitinglink[.]com
grecruitingmanager[.]com
grecruitingnetwork[.]com
grecruitingnext[.]com
grecruitingpartners[.]com
grecruitingpeople[.]com
grecruitingplus[.]com
grecruitingportal[.]com
grecruitingtalent[.]com
grecruitingwave[.]com
grecruitingwise[.]com
grecruitingzone[.]com
grecruitjobportal[.]com
grecruitjobs[.]com
grecruitonboard[.]com
grecruitonline[.]com
grecruitopenings[.]com
grecruitopportunity[.]com
grecruitpartners[.]com
grecruitpeople[.]com
grecruitplus[.]com
grecruitprocess[.]com
grecruitrise[.]com
grecruitroles[.]com
grecruitspot[.]com
grecruitstaff[.]com
grecruitteam[.]com
grecruitvision[.]com
grecruitworkforce[.]com
grecruitzone[.]com
gsa-application[.]com
gschedulecandidates[.]com
gscheduleconnect[.]com
gscheduleflow[.]com
gschedulehub[.]com
gschedulejobboard[.]com
gschedulejobhunt[.]com
gschedulejoblist[.]com
gschedulejobs[.]com
gschedulelineup[.]com
gschedulelisting[.]com
gschedulerecruit[.]com
gschedulestaff[.]com
gstaffconnect[.]com
gstaffcrew[.]com
gstaffhire[.]com
gstaffingbase[.]com
gstaffingdesk[.]com
gstaffinghr[.]com
gstaffinghrtech[.]com
gstaffingjobboard[.]com
gstaffingonboard[.]com
gstaffingplace[.]com
gstaffingteam[.]com
gstaffingworks[.]com
gstaffingworld[.]com
gstaffingzone[.]com
gstafftalent[.]com
gstaffzone[.]com
gtalentcrew[.]com
gtalentinsight[.]com
gtalentmove[.]com
gtalentnetwork[.]com
gtalentpath[.]com
gtalentpathway[.]com
gtalentreach[.]com
gtalentrole[.]com
gtalentselect[.]com
gtalentsync[.]com
gtalenttrack[.]com
gteamappoint[.]com
gteamappointment[.]com
gteamassign[.]com
gteamcandidates[.]com
gteamcareer[.]com
gteamcareerhub[.]com
gteamconnecthub[.]com
gteamconnectline[.]com
gteamcontacts[.]com
gteamhireflow[.]com
gteamhirehub[.]com
gteamhrzone[.]com
gteamjobline[.]com
gteamjobmatch[.]com
gteamjobpath[.]com
gteamline[.]com
gteamlineup[.]com
gteamlistings[.]com
gteamnetwork[.]com
gteamonboarding[.]com
gteamportal[.]com
gteamposition[.]com
gteamqueue[.]com
gteamrecruiters[.]com
gteamsapplicants[.]com
gteamsbridge[.]com
gteamscandidates[.]com
gteamscareers[.]com
gteamsconnect[.]com
gteamscrews[.]com
gteamsenrollment[.]com
gteamshift[.]com
gteamshifthub[.]com
gteamshiftline[.]com
gteamshire[.]com
gteamsjobs[.]com
gteamsmatch[.]com
gteamsportal[.]com
gteamsstaff[.]com
gteamsvacancy[.]com
gteamswork[.]com
gteamworkhub[.]com
gteamworkline[.]com
gworkcareers[.]com
gworkhub[.]com
gworkportal[.]com
gworkstaff[.]com

Detection signals

Sublime's AI-powered detection engine prevented these attacks. As there were variations over time, here are some of the top signals shared across attacks:

• Brand impersonation: These messages impersonated Google Careers, but were delivered on non-Google Careers infrastructure.
• Domain deception: Links to domain that mimics Google branding but is not a Google domain (ex: gteamcareers[.]com).
• Newly registered domain: The sender and/or links within the message use domains that were registered within the past 30 days.
• Suspicious sender domain: Misalignment between claimed sender identity (Google Careers) and actual sender domain (varied).
• Response urgency: Job offers came with vague details, but required immediate action (scheduling a call).
• Deceptive recruitment outreach: Follows typical job scam patterns with flattering language and limited specifics.

ASA, Sublime’s Autonomous Security Analyst, flagged these emails as malicious. Here is ASA’s analysis summary for one of the messages:

See through impersonations

Adversaries will impersonate trusted sites and services to improve their chances of success. That’s why the most effective email security platforms are adaptive, using AI and machine learning to shine a spotlight on seemingly minor discrepancies.

If you enjoyed this Attack Spotlight, be sure to check our blog every week for new blogs, subscribe to our RSS feed, or sign up for our monthly newsletter. Our newsletter covers the latest blogs, detections, product updates, and more.

Read more Attack Spotlights:

• UK Home Office visa & immigration scam targets Sponsor Management System accounts
• Callback phishing with online appointment abuse and distribution lists
• Multi-RMM attack: Splashtop Streamer and Atera payloads delivered via Discord CDN link