Skip to content

Instantly share code, notes, and snippets.

Fake Interviews Offered at Top Brands to harvest Gmail creds

  • Phishing email sent posing as a recruiter looking to hire people for marketing roles
  • The email addresses the individual by their name and the individual works in the relevant field, therefore the attackers likely did some relevant research and collection
  • The target is then directed to click a link to book a meeting and is asked to provide their Gmail credentials

Phishing Workflow Summary

The attacker is using nested redirects across different legitimate platforms:

  1. ⁠The email was sent via PeopleForce (peopleforce[.]io)⁠ a genuine, cloud-based Human Resource Management (HRM) and Applicant Tracking System (ATS) platform.
@BushidoUK
BushidoUK / regex
Last active October 17, 2025 20:53
Regular_expression('User defined','.*bank.*',true,false,false,false,false,false,'List matches')
Regular_expression('User defined','.*, US.*',true,false,false,false,false,false,'List matches')
Find_/_Replace({'option':'Regex','string':'</a>'},'',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'^.*>'},'',true,false,true,false)
@BushidoUK
BushidoUK / GoogleCareersGmailPhish.md
Last active October 24, 2025 03:15
Gmail phishing posing as Google Careers

Gmail phishing posing as Google Careers recruiter

IOCs

Email Sender:
reply-ff2913777d64-449_HTML-1463564-534018293-0[@]s12[.]y[.]mc[.]salesforce[.]com

Link Embedded in 'View the role' button in the Email body:
cl[.]s12[.]exct[.]net (13.110.204.9 - Salesforce ASN)
@BushidoUK
BushidoUK / uae_qa_phishing.md
Created August 13, 2025 00:33
Dubai Police & Qatar Police Phishing Domains

Dubai Police Domains

dubai-police-ae-gonv[.]com
dubai-police-ae[.]com
dubai-police-gov[.]com
dubai-police-govn[.]com
dubai-police-uae[.]com
dubai-policeae-gov[.]com
dubai-policegovae[.]com
dubai-policegovr[.]com
@BushidoUK
BushidoUK / meta_phishing.md
Created April 4, 2025 11:39
Meta recruitment themed credential phishing

Summary

  • Phishing campaign target Facebook accounts, as well as Threads and WhatsApp
  • Emails sent using a recruitment platform called recruitee.com
  • Landing pages are hosted with Cloudflare and target Facebook login credentials
  • The websites are built with Socket.io

Example phishing email and sender

  • application[@]realitylabshiring.recruitee.com
Rules
WHAT'S REALLY GOING ON?
- We completed a security audit of your network, conducted a thorough investigation, downloaded all confidential, private, proprietary, legal, financial, compromising information of you, your customers and employees, including databases and all documents of value to you and your customers to show insecurity of your infrastructure.
- Encrypted your data with a very strong AES+RSA algorithm, making it impossible to view or use by anyone but us.
- Deleted all backups.
- We have compiled a security report and are waiting for your payment for our services to recover and protect your sensitive information from exposure.
- How can I get my organization back to normal operations and avoid long-term losses due to sensitive data leakage and loss of access to encrypted files forever?
ossec-win32 used by Storm-0501
https://www.ossec.net/about/
OSQuery used by Storm-0501
https://www.osquery.io/
GitGuardian used by Scattered Spider*
https://www.gitguardian.com/
MAGNET RAM Capture used by Scattered Spider*
@BushidoUK
BushidoUK / UK_PPCN_SMS_Phishing.md
Last active September 26, 2024 01:13
UK Parking Penalty Charge Notice SMS Phishing

Summary

  • New SMS phishing campaign targeting the UK posing as parking penalty charges
  • It has borrowed assets from UK.GOV sites to look legit
  • It uses qrco[.]de shortening links
  • It redirects to stockx[.]com if you are not the intended target
  • The sites are protected by Cloudflare and registered through NameSilo
  • It gets the target to enter their number plate then presents the "fine" and then asks for payment data (for fraud)

OSINT

  • Quite a few UK councils have warned about it: