Attackers impersonating major brands, such as LVMH, Unilever, Lego, and dozens more, are using fake Calendly invites to steal Google Workspace and Facebook Business ad credentials – all part of a recently discovered phishing campaign, researchers said on Tuesday.
-
Scammers pose as 75 major brands sending fake Calendly job offers to steal Google Workspace and Facebook ad account credentials.
-
Using three distinct variants, the attacks employ stealth techniques and VPN-blocking anti-detection measures.
-
Stolen access enables malicious ads, budget drains, and resale of compromised accounts to other cybercriminals.
The ongoing campaign was recently uncovered by Push Security and detailed in a research blog published on Tuesday.
Of the 75 brands used in the fake job offer phishing campaign, prominent names have included LVMH (Louis Vuitton Moët Hennessy), Lego, Mastercard, Uber, Unilever, Disney, Yamas Group, Mondo, and Artisan.
The threat intel team says the “sophisticated” scam, which some attackers have been leveraging for nearly two years, is specifically targeting Google Workspace and Facebook Business users, with the ultimate goal of hijacking business ad accounts.
By infiltrating the organization’s ad infrastructure, the hackers can perform malicious acts such as launch ads for malicious content, drain budgets, and even re-sell the account access to other cybercriminals.
“The attackers are continuously iterating on their TTPs (tactics, techniques, and procedures), introducing new page styles with increased sophistication, and new detection evasion techniques to defeat security analysis tools,” the research blog states.
How it works
Max Gannon, Cyber Intelligence Team Manager at Cofense, points out that "With the use of AI, it is becoming increasingly easy for threat actors to generate advanced and convincing email campaigns and phishing pages.”
What’s more, threat actors are now selling these malicious AI phishing kits to other bad actors, who utilize them to “generate convincing phishing pages with increasingly well‑developed anti‑analysis techniques and evasion methods,” Gannon says.
The Calendly phish begins with victims receiving what appears to be a legitimate job-opportunity email from the HR department or recruiter of a well-known “brand” company, complete with a convincing “recruiter” name and realistic details.
Once the victim replies, the scammer follows up with a link to schedule a call, sending what looks like a normal Calendly invite, Push Security says.
The malicious invite link actually leads to a fake Calendly page where the user must complete a CAPTCHA, and is next prompted to click a “Continue with Google” button.
Once clicked, it opens a fake login page where the unsuspecting target enters their Google or Facebook username and password, essentially handing the attackers unauthorized access to their accounts.
Known as an “attacker-in-the-middle” (AiTM) attack, researchers say the AiTM pages closely mimic Calendly’s look and feel, making them convincing enough to fool even the most cautious employees.
Gannon says, “We can expect to see more highly customized campaigns, and attacks occurring at a greater scale than has been previously seen.”
3 distinct variants, 75 brands
Although the scammers have sent fake invites imitating over 75 companies, Push Security said they identified three distinct attack patterns used to lure victims.
The first social engineering variant exploits Google Workspace using a tailored job-offer email lure, following the techniques as described above.
The second variant, which included “evidence of older phishing pages, some more than two years old,” focuses primarily on Facebook Business accounts. Around 31 unique URLs tied to this campaign were identified.
The third and most sophisticated variant combines “Google and Facebook targets with enhanced stealth.”
Push Security said the latest versions use a “Browser-in-the-Browser” (BITB) technique, which can be described as a seemingly legitimate pop-up window which actually hides the real URL beneath it.
The attackers also have built in anti-analysis measures (like blocking VPNs or dev-tool access) to thwart security researchers and automated detection tools, it said.
Push Security provides several tips for Calendly users to help avoid these scams, including to:
- Be suspicious of job offers that come with a Calendly invite
- Check the URL carefully – even after clicking through Calendly
- Confirm the sender
- Hover over links before clicking
- Resist entering credentials from links inside such invites.
- Always enable multi-factor authentication (MFA)
Additionally, users should stop and verify whether asked to log in to Google or Facebook via a suspicious or unfamiliar domain.
Businesses should also limit ad-manager access to trusted users only and monitor for unusual login activity or changes in ad accounts.
Citing the “Scattered Lapsus$ Hunters” criminal gang – known for gaining access to its victims using "identity-based initial access" – Push Security says these types of “malvertising attacks” are an “effective way to launch 'watering hole' style attacks, casting a wide net to harvest credentials and account access.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked