{"id":7333,"date":"2025-10-01T10:03:39","date_gmt":"2025-10-01T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/01\/hackers-posing-as-google-careers-recruiter-to-steal-gmail-login-details\/"},"modified":"2025-10-01T10:03:39","modified_gmt":"2025-10-01T10:03:39","slug":"hackers-posing-as-google-careers-recruiter-to-steal-gmail-login-details","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/01\/hackers-posing-as-google-careers-recruiter-to-steal-gmail-login-details\/","title":{"rendered":"Hackers Posing as Google Careers Recruiter to Steal Gmail Login Details"},"content":{"rendered":"<p>    Hackers Posing as Google Careers Recruiter to Steal Gmail Login Details<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated phishing campaign has emerged targeting job seekers through fake Google career recruitment opportunities, leveraging social engineering tactics to harvest Gmail credentials and personal information.<\/p>\n<p>The malicious operation exploits the trust associated with Google\u2019s brand reputation, crafting convincing recruitment emails that direct victims to fraudulent login portals designed to capture authentication details.<\/p>\n<p>The attack vector primarily relies on email-based <a href=\"https:\/\/cybersecuritynews.com\/social-engineering-tactics\/\" target=\"_blank\" rel=\"noreferrer noopener\">social engineering<\/a>, where cybercriminals impersonate Google HR representatives offering lucrative career opportunities.<\/p>\n<p>These deceptive messages contain carefully crafted job descriptions and application processes that appear legitimate, complete with official-looking branding and professional communication styles that mirror genuine Google recruitment correspondence.<\/p>\n<p>Cyber researcher g0njxa <a href=\"https:\/\/x.com\/g0njxa\/status\/1973076165846839511\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> this campaign while investigating broader patterns of credential theft operations targeting major technology companies.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The abuse of EV cert is not only a Windows issue, although is less usual, is also present on MacOS malware<\/p>\n<p>I identified new signed DMG, completely FUD on VT, from the same source than the quoted one that I identified before, with a new Developer ID &#8220;THOMAS BOULAY DUVAL&#8221;\u2026 <a href=\"https:\/\/t.co\/mRkXDoxBCN\">https:\/\/t.co\/mRkXDoxBCN<\/a> <a href=\"https:\/\/t.co\/51kDGwe4W8\">pic.twitter.com\/51kDGwe4W8<\/a><\/p>\n<p>\u2014 Who said what? (@g0njxa) <a href=\"https:\/\/twitter.com\/g0njxa\/status\/1973076165846839511?ref_src=twsrc%5Etfw\">September 30, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>The researcher\u2019s analysis revealed that the threat actors employ multiple attack variations, adapting their techniques to evade detection while maintaining high success rates against unsuspecting victims.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-certificate-abuse-and-evasion-techniques\"><strong>Certificate Abuse and Evasion Techniques<\/strong><\/h2>\n<p>The malware <a href=\"https:\/\/cybersecuritynews.com\/new-russian-disinformation-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">campaign<\/a> demonstrates sophisticated evasion capabilities through the abuse of Extended Validation certificates across multiple platforms.<\/p>\n<p>Threat actors have obtained legitimate Apple Developer ID certificates under names such as \u201cTHOMAS BOULAY DUVAL\u201d and \u201cAlina Balaban,\u201d enabling their malicious applications to bypass initial security screening mechanisms.<\/p>\n<p>The signed DMG files appear completely undetected on VirusTotal, achieving full undetected status across security vendors.<\/p>\n<p>Analysis of the malicious launchers reveals deliberate attempts to legitimize applications by incorporating signer names into identifier strings, following patterns like \u201cthomas.parfums\u201d corresponding to \u201cThomas Boulay Duval.\u201d<\/p>\n<p>The Mach-O binaries contain embedded references that connect to remote AppleScript payloads, utilizing the Odyssey Stealer framework for <a href=\"https:\/\/cybersecuritynews.com\/hackers-harvesting-office-365-credentials\/\" target=\"_blank\" rel=\"noreferrer noopener\">credential harvesting<\/a> operations.<\/p>\n<p>The campaign\u2019s infrastructure includes compromised domains such as franceparfumes[.]org hosting malicious scripts, with command and control servers operating from IP address 185.93.89.62.<\/p>\n<p>These certificates represent significant financial investments for cybercriminals, as Apple\u2019s developer certification process involves substantial time and monetary costs, making their eventual revocation impactful to ongoing malware operations.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-posing-as-google-careers-recruiter\/\">Hackers Posing as Google Careers Recruiter to Steal Gmail Login Details<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-posing-as-google-careers-recruiter\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Posing as Google Careers Recruiter to Steal Gmail Login Details A sophisticated phishing campaign has emerged targeting job seekers through fake Google career recruitment opportunities, leveraging social engineering tactics to harvest Gmail credentials and personal information. The malicious operation exploits the trust associated with Google\u2019s brand reputation, crafting convincing recruitment emails that direct victims [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-7333","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7333"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7333"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7333\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}