BreakglassIntelligence
Back to reports

Schedule a Call With Tricia: Inside a Real-Time Google Account Takeover Disguised as a Job Interview

Fake Calendly pages impersonating Nike, Robert Half, and Adecco feed credentials to a real-time AiTM 2FA bypass with Telegram exfil and an exposed Swagger API

PublishedApril 5, 2026

The phishing page looks like Calendly. Pick a time to speak with Tricia Guyer about a career opportunity at Coca-Cola, Nike, Robert Half, or Adecco. Enter your name, email, and area of interest. Click "Schedule Call."

Then it asks you to sign in with Google. The page looks exactly like Google's login — complete with a fake browser URL bar rendering accounts.google.com/signin/v3/ inside the page itself. You enter your password. Google sends a 2FA code to your phone. The phishing page shows the matching 2FA prompt. You enter the code. "Meeting confirmed!"

Your Google account is now fully compromised. The operator was logged in simultaneously, relaying your credentials and 2FA codes in real time through a Telegram bot. The entire attack — from fake interview to account takeover — takes under sixty seconds.

The Brands

Five domains impersonate major employers and staffing agencies:

DomainImpersonation
careers-jobupdate[.]comGeneric careers portal
jobs-nike[.]comNike careers
roberthalf-gethired[.]comRobert Half staffing
roberthalf-globaltalent[.]comRobert Half international
adecco-callschedule[.]comAdecco scheduling

All five share Google Analytics tracking ID G-123NZLZV56 — the operator monitors victim flow across all phishing domains from a single analytics dashboard.

The Kill Chain

Stage 1 — The Lure: Victim receives a message about a job opportunity. The link leads to a Calendly-style scheduling page. Professional design. "Tricia Guyer" has a headshot. The page collects name, email, and job interest.

Stage 2 — The Fake Google Sign-In: After scheduling, the victim is asked to "verify identity" via Google. The phishing page renders a pixel-perfect Google login form — but the critical detail is a fake browser URL bar drawn inside the page showing accounts.google.com/signin/v3/. The victim sees what looks like a legitimate Google URL in what looks like their browser's address bar. It's an image.

Stage 3 — Real-Time AiTM: When the victim enters their password, the backend immediately:

  1. Sends credentials to the operator via Telegram bot
  2. The operator (or automation) enters them into the real Google login
  3. Google triggers 2FA — the backend detects which type (email code, SMS, TOTP authenticator, or push notification tap)
  4. The phishing page dynamically displays the matching 2FA prompt
  5. The victim enters their code
  6. The operator completes the real Google login

Stage 4 — Confirmation: The victim sees "Meeting Confirmed!" with a calendar entry. They believe they've scheduled a job interview. Their Google account — email, Drive, Photos, payment methods, connected accounts — is fully compromised.

The Exposed API

The operator left their backend's Swagger/OpenAPI documentation publicly accessible at /docs and /openapi.json. The API schema reveals 11 endpoints including:

  • "Send booking data to Telegram" — confirming the exfiltration channel
  • /api/get-channel-id — Telegram channel configuration
  • Endpoints for managing phishing sessions, 2FA relay, and victim data

This is the operator's own documentation of their attack infrastructure, served to the public internet. Any security researcher can read exactly how the backend processes stolen credentials.

Not DPRK

Despite the job interview theme resembling DPRK/Lazarus "Contagious Interview" campaigns, this is a different operation. DPRK fake interview campaigns typically:

  • Request the victim install software (trojanized video call apps)
  • Deliver malware (InvisibleFerret, BeaverTail)
  • Target cryptocurrency and tech industry workers specifically

This campaign does none of that. It's pure credential harvesting with AiTM 2FA bypass — no malware delivered, no software installation, no industry-specific targeting. The job interview theme is social engineering for Google account access, not a malware delivery mechanism.

The Fake URL Bar

The most deceptive element is the rendered browser URL bar. The phishing page draws an image of a browser address bar showing accounts.google.com/signin/v3/ above the login form. On mobile devices or in embedded browsers (email apps, social media in-app browsers), the real URL bar may be hidden or minimized, making the fake one the only visible indicator of the supposed destination.

This technique — browser-in-browser (BitB) — has been documented since 2022 but remains effective because users are trained to "check the URL bar" as their primary anti-phishing behavior. When the URL bar itself is fake, that training works against them.

Indicators of Compromise

Network Indicators

  • careers-jobupdate[.]com
  • jobs-nike[.]com
  • roberthalf-gethired[.]com
  • roberthalf-globaltalent[.]com
  • adecco-callschedule[.]com
  • Google Analytics: G-123NZLZV56
  • CloudFront IPs: 99.84.160[.]117, 18.155.202[.]54, 13.227.246[.]25, 18.161.216[.]70

Persona

  • "Tricia Guyer" — fake recruiter identity with headshot

Detection

Three YARA rules and fourteen Suricata signatures covering the BitB Google Sign-In clone, Calendly-style scheduling page, and AiTM relay patterns are available on our GitHub:

A fake interview. A fake URL bar. A real-time account takeover. Swagger docs left open for anyone to read. Investigation conducted autonomously by GHOST -- Breakglass Intelligence.

h/t @volrant136 for the tip.

Share