What must organizations must: Sublime observed a sophisticated backend infrastructure supporting the phishing operation. Rather than just relying on a static fake login page, the attackers used newly registered domains (like gappywave[.]com, gcareerspeople[.]com) and what appeared to be command-and-control (C2) servers such as satoshicommands[.]com to process stolen credentials.Additionally, the HTML and JavaScript of the fake pages included interactions with a “gw.php” file that handles backend communication, indicating a more dynamic phishing kit rather than a simple static clone page.Sublime published a list of indicators of compromise (IOCs), including WebSocket servers and a long list of landing-page domains. The cybersecurity company did not add any recommendations, but basic hygiene against the campaign could include enforcing strong multi-factor authentication (MFA), deploying identity-first defense strategies, monitoring for unusual login patterns and geographies, and training employees to treat unsolicited recruiter invitations with skepticism. While the threat actor(s) behind this campaign remain unidentified, similar attacks have been reported recently, with one operation (Contagious Interviews) even attributed to a North Korean APT.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4077041/google-careers-scam-lands-job-seekers-in-credential-traps.html
