That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords

Keypoints

• Attackers impersonated major employers (Coca-Cola and Ferrari) using convincing scheduling and careers pages to lure job seekers.
• The Coca-Cola campaign used a fake in-page Chrome pop-up displaying a Google sign-in URL graphic to collect Google Workspace credentials.
• The Coca-Cola kit relays credentials to an attacker-controlled backend and polls that server every few seconds to dynamically serve MFA prompts, enabling real-time MFA bypass and account takeover.
• The kit explicitly blocks @gmail.com addresses, targeting corporate Google Workspace accounts for greater access and impact.
• The Ferrari campaign used a fake careers portal with an “Continue with Facebook” option to harvest Facebook credentials via an OAuth-style phishing flow.
• Job-market pressures and rising unemployment have increased the pool of vulnerable victims, and losses from employment scams have surged in recent years.
• Key defensive advice: be suspicious of unsolicited interview links, verify URLs and pop-up behavior, never enter passwords on scheduling pages, and immediately change credentials and revoke sessions if compromised.