The phishing marketing campaign impersonated greater than 30 well-known manufacturers, together with Adobe, Netflix, Coca-Cola, and OpenAI, to steal Google Account credentials from advertising professionals in faux job interviews.
This operation exploits domains related to the official cloud-based PeopleForce HR platform and Salesforce Advertising and marketing Cloud companies earlier than redirecting recipients to a malicious touchdown web page.
To additional instill belief and improve the chance of success, risk actors use the title and picture of a real recruiter from the corporate they’re impersonating.
Will Thomas, a senior advisor at cybersecurity intelligence and risk looking agency Workforce Cymru, analyzed the marketing campaign and located that the phishing emails presupposed to be from “recruiters trying to rent individuals for advertising roles.”
Researchers revealed that attackers have been utilizing not less than 34 domains impersonating high-value corporations within the following sectors:
- Airways and Journey: American Airways, Reserving.com, Delta Air Strains, United Airways
- Food and drinks: Coca-Cola, PepsiCo, Purple Bull
- Attire and luxurious items: Adidas, Louis Vuitton, Sephora, Levi’s
- Staffing, Consulting, Know-how: Adobe, Aquent, ManpowerGroup, McKinsey & Firm, OpenAI
- Hospitality and Advertising and marketing: Marriott, Omnicom Group
- Leisure and Sports activities: FIFA, Netflix
Thomas found that this marketing campaign relied on nested redirects. This can be a approach that routes guests by means of a number of official companies earlier than reaching a malicious touchdown web page.
Researchers say the phishing e-mail seems to originate from PeopleForce, however the underlying hyperlink is exct(.)web This area is operated by Salesforce after Salesforce acquired the ExactTarget advertising automation platform and is now rebranded as Salesforce Advertising and marketing Cloud.
ExactTarget is Sensible Agent (Sensible Agent(.)com) Cloud-based actual property buyer relationship administration (CRM) software program for brokers, groups, and brokers. You can be redirected to a phishing touchdown web page.
In keeping with BleepingComputer’s investigation, the operation has been working for not less than 5 months and initially used Outlook e-mail addresses with spoofed firm names.
One phishing e-mail presupposed to be from Paulina Manzo, an Adidas recruiter, asking recipients to schedule a dialog a few potential function with the corporate.

Supply: Serge George
After clicking on the hyperlink to the calendar, the recipient was redirected to the risk actor’s touchdown web page. adidas recruitment(.)com
Potential victims are requested to check in to their Google account to proceed the method of scheduling an interview with a recruiter.

Supply: BleepingComputer
If you click on the (Proceed with Google) button, a faux Google sign-in popup seems inside a phishing web page to spoof your Google authentication.
Though the pop-up seems like a official browser window, it’s HTML and CSS code rendered inside the phishing web page, a method generally known as browser-in-a-browser (BitB).
Trendy net growth instruments permit an attacker to imitate each ingredient of a official authentication popup web page.

Supply: BleepingComputer
It’s unclear how the attacker gained entry to the official platform, however exploiting the platform doesn’t imply the service is compromised.
One doable avenue is to create a real account devoted to the marketing campaign or use a compromised login that enables for the configuration of redirect chains and touchdown pages.
A listing of domains found on this phishing marketing campaign is on the market in Will Thomas’ evaluation on GitHub.
Safety groups doc 54% of profitable assaults and challenge a warning on solely 14%. The remaining strikes invisibly by means of the setting.
Picus’ whitepaper reveals how one can check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
