Zip Recruiter Phishing Campaign 2019/10/23

1. Zip Recruiter Phishing Campaign:
2.  
3. Return address:
4. no-reply@ziprecruter.com
5.  
6. Subjects:
7. ZipRecruiter Critical Security Alert #([0-9]{5})
8. ZipRecruiter Check Your Account Activity #([0-9]{5})
9.  
10. Header origin:
11. Received: from wrqvcxfq.outbound-mail.sendgrid.net (unverified
12. [149.72.202.244])
13.  
14.  
15. Redirector Pages:
16.  
17. http://cord.nvfms.org/
18. http://mart.fammart.com/
19. http://plan.sherrisplants.com/
20. http://sub.musizhao.com/
21. http://str.ladystrange.com/
22. http://tto.bkandgun.com/
23.  
24.  
25. LanderPages:
26.  
27. https://ziprecrulter.site/login?token=yysndtvrrs9f4amwt7k5m
28.  
29.  
30. Notes: Interesting that the kit seems to have been used before about 20 days ago and the token=yysndtvrrs9f4amwt7k5m then also.
31. Going to the https://ziprecrulter.site without the token gets you redirected to the real ZipRecruiter site for your geolocation.
32. It also redirects you to the real ZipRecruiter site by geolocation once it collects your credentials.
33.  
34. I also have noted a lot of the sent messages have broken URLs that are formed with http:/ and not http://. Example: http:/mart.fammart.com/