Sophisticated Phishing Campaign Exploits Job Seekers with Fake Career Pages and Browser-in-Browser Technique
A widespread phishing campaign impersonates major brands, using fake recruiter emails and career pages hosted on legitimate services to steal Gmail credentials via a deceptive Browser-in-Browser attack.

A new, highly sophisticated phishing campaign is targeting job seekers by impersonating recruiters from numerous well-known brands. The attackers employ a multi-stage approach that leverages a chain of legitimate services to mask their final malicious destination: a fake career page designed to steal Gmail login credentials. This campaign is notable for its detailed social engineering tactics and its use of advanced techniques to bypass security measures.
The attack begins with a personalized phishing email, appearing to come from a legitimate recruiter offering a job opportunity. These emails address the recipient by name and reference their professional field, creating a sense of authenticity that encourages clicks. The initial email is sent through PeopleForce, a legitimate human resources and applicant tracking platform. From there, the malicious link is routed through Salesforce Marketing Cloud and Wise Agent, a real estate CRM tool, before reaching its final destination. This chain of trusted domains helps the phishing link evade spam filters and reassures the victim of its legitimacy.
The ultimate goal is to lure victims to a convincing fake career page, often hosted on Netlify, a popular web development platform. In one documented instance, the page mimicked the McKinsey and Company careers section. Crucially, the attackers employ a 'Browser-in-Browser' (BiB) technique. Instead of redirecting users to an actual login page, the fake career site presents a pop-up window that precisely replicates a browser window, complete with address bar and other UI elements. This makes it appear as though the user is interacting with a legitimate external login service.
When a job seeker enters their Gmail username and password into this deceptive pop-up, the credentials are sent directly to the attackers. The BiB technique is particularly effective because it can fool even security-conscious users by mimicking the visual cues of a genuine browser window. The campaign targets job seekers who may be more susceptible due to the excitement and urgency often associated with a job search.
The sheer scale of the impersonations is staggering, with researchers identifying fake career pages mimicking over 30 major brands across diverse industries. These include airlines like American Airlines, Delta, and United; travel platforms such as Booking.com; food and beverage giants including Coca-Cola, PepsiCo, and Red Bull; fashion and retail brands like Adidas, Louis Vuitton, Sephora, and Levis; and technology firms such as Adobe and OpenAI. The broad range of targeted companies suggests a wide-reaching operation aiming to maximize its victim pool.
This campaign highlights the evolving tactics of cybercriminals who are adept at blending legitimate services and sophisticated techniques to achieve their objectives. The use of multiple legitimate redirectors and the Browser-in-Browser attack demonstrate a high level of technical proficiency and planning. The impersonation of major brands further enhances the credibility of the phishing attempts.
To protect themselves, job seekers should exercise extreme caution with unsolicited recruiter emails, especially those that ask for login credentials during the application or interview process. Verifying job openings directly through a company's official website, rather than clicking links in emails, is a critical defense. Legitimate recruiters typically do not require a candidate's password to schedule an interview. Any request that combines a job offer with a login prompt should be treated as a significant red flag.
Staying vigilant for subtle inconsistencies, such as unusual domain names or unexpected login pop-ups, remains one of the most effective defenses against such advanced phishing schemes. The attackers' reliance on a chain of legitimate services underscores the difficulty in blocking these attacks at the network level, placing a greater emphasis on user education and awareness.