Recycled phishing scam revives fake login pages to lure job seekers

• IN PHOTO: Source code of the phishing page sent to victims, showing Chinese text in the login form and password fields.

By Art Samaniego

Cybercriminals have revived an old online scam that once fooled thousands, using the same playbook to steal account credentials from unsuspecting users.

The scheme, which first circulated years ago, begins with unsolicited messages offering easy online income such as liking and rating a film for up to P1,600 per day.

Once a user responds, they are referred to a “recruiter” on the messaging app Telegram. Scammers prefer Telegram because it isolates victims from Facebook, where users are more likely to verify scams through friends and public warnings. After initial contact, the victim is instructed to register through a link—leading to a fake login page.

The phishing page mimics a normal sign-in interface and collects personal credentials through forms that request phone numbers, emails, and passwords. The site also contains embedded scripts to handle Google login credentials, decoding JWT tokens on the client side and sending them to a suspicious server—behavior not seen in legitimate authentication systems.

Reviewing the source code of the fake website reveals the presence of Chinese-language text and placeholders, suggesting that the site was created by Chinese-speaking cybercriminals and possibly tailored to target Chinese-speaking individuals in addition to Filipino users.

All JavaScript files and styling assets are served locally, allowing the scammer to operate the page entirely under their control and bypass standard browser protections. Visual elements like disabled Facebook and Google login buttons are included to make the page appear trustworthy, even though they don’t function.

The entire flow—from the initial message, the Telegram referral, and the phishing link—forms a coordinated scam designed to steal login credentials and personal data. Once harvested, the information can be used for identity theft, unauthorized financial transactions, or further scams.

Scam Watch Pilipinas is appealing to the public to stay alert:

• Avoid clicking on links from strangers offering easy income.
• Do not log in to unfamiliar websites, especially those shared through Telegram or random DMs.
• Verify job offers through official company pages or job portals.
• Check for telltale signs of phishing, such as unusual URLs, broken buttons, and unexpected language scripts in the page source.

Several of these pages have been flagged and reported for takedown, but similar variants remain active. Users are urged to be vigilant and report suspicious activity to cybersecurity hotline 1326 or to the PNP Anti Cybercrime Group.