A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals.
The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a malicious landing page.
To further instill trust and increase the chances of success, the threat actor is using the names and pictures of real recruiters at impersonated companies.
Will Thomas, senior advisor at cybersecurity intelligence and threat hunting company Team Cymru, analyzed the campaign and discovered that the phishing email pretends to be from “a recruiter looking to hire people for marketing roles.”
The researcher uncovered that the threat actor is using at least 34 domains impersonating high-value companies in the following sectors:
Airlines and travel: American Airlines, Booking.com, Delta Air Lines, United Airlines
Food and beverage: Coca-Cola, PepsiCo, Red Bull
Apparel and luxury goods: Adidas, Louis Vuitton, Sephora, Levis
Hospitality and marketing: Marriott, Omnicom Group
Entertainment and sports: FIFA, Netflix
Thomas found that the campaign relies on nested redirects, a technique that routes visitors through multiple legitimate services before reaching the malicious landing page.
The researcher noted that while the phishing emails appear to originate from PeopleForce, the underlying links resolve to the exct[.]net domain, which is operated by Salesforce following its acquisition of the ExactTarget marketing automation platform, now rebranded as Salesforce Marketing Cloud.
ExactTarget redirects to the Wise Agent (wiseagent[.]com) cloud-based real estate Customer Relationship Management (CRM) software for agents, teams, and brokers, which forwards to the phishing landing page.
BleepingComputer has found that the operation has been running for at least five months and initially used Outlook email addresses with the name of the impersonated company.
One phishing email, posing as a message from Adidas recruiter Paulina Manzo, asked the recipient to schedule a conversation about a potential role at the company.
Phishing email trying to steal Gmail password source: Sergiu George
When clicking on the link to the calendar, the recipient was redirected to the threat actor’s landing page adidas-hiring[.]com
To continue the process for scheduling a meeting with the recruiter, the potential victim is asked to sign into their Google account.
Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>