Wow, now I'm getting malware URLs via reverb.com - way to hand over a long-time threat intel person the IoC's

nothing on VT yet https://www.virustotal.com/gui/url/3086617690b3b089bff0dd7b96f0e389a57ad32630fd93b6a29d6cdc8256edfe/detection
Zero detections:
https://www.urlvoid.com/scan/matyshkazemlya.com/
scan failed 403 forbidden: https://sitecheck.sucuri.net/results/www.matyshkazemlya.com

https://urlquery.net/report/7840c1b4-791d-47d1-b531-4ac3b7fd0f92 redirect and is sinkholed via DNS4EU
Submitted to Pulsedive: https://pulsedive.com/indicator/?ioc=d3d3Lm1hdHlzaGthemVtbHlhLmNvbQ==

Showing a redirect to Google on checkphish (LOL)
https://app.checkphish.ai/public/insights/1772914041531/3086617690b3b089bff0dd7b96f0e389a57ad32630fd93b6a29d6cdc8256edfe

IoC:
www.matyshkazemlya [DOT] com

Message on Reverb.com:
Hey, I've been trying to buy your listing but keep getting a payment error. The site gave me a link with some info for the seller to check — www.matyshkazemlya [DOT] com Could you take a look? Mia Brown

#IR #incidentRespose #CTI #IOC #infosec #cyberz #cybersecurity #infosec #reverb
#suspectdomain #virustotal #pulsedive #URLvoid #threatIntel #ThreatInteligence

Impersonation of AECOM HR - The malicious actors continue to target individuals on the search for their next job.

Yesterday I spent the afternoon writing up a response to (what I thought) a reach out by AECOM for potential roles with the company. Having crafted thoughtful responses to the questions, I went to reply –

And realized this was fake. This is a scammer.

The tell-tale signs I missed at first:
· The name not matching the email address
· Weird subject line
· The email coming from GMail rather than their aecom.com domain
· The work signature block including a LinkedIn profile URL
· Email interaction tracking URL

This sample was specifically targeted as they pulled background from LinkedIn regarding my background and experience, hence my blocking the other telltale signs.

These threat actors are using mailsuite [DOT] com a Gmail plugin to track their targeted individuals (aka the u.list-opt-center [DOT] com URL). This appears to be a legit service being used for malicious activities. I have reached out to Mailsuite but have not received a response.

They are impersonating a pamlevesque [AT] aecom.com; I have reached out on LinkedIn Pam Levesque to warn them & connect with their abuse team but have not received a response. I also reached out to multiple other individuals in InfoSec/Risk/Abuse roles at AECOM with no response.

#jobsearch #fraud #impersonation #informationsecurity #abuse #risk #riskmanagement #gethired #hiring #threatlandscape #getFediHired #threatIntel #threatInteligence #cybersecurity #phishing

The full documentation of the initial interaction is on my Github:
https://github.com/obrientg/Analysis/blob/main/Impersonation%20of%20AECOM%20HR%202026Feb-3

and my #Linkedin posting:
https://www.linkedin.com/posts/activity-7425234187286351872-z1Wx
#stinkedin

Took a few moments to parse this #phishing #attack targeting one of my accounts, and reported the Source #IP and the #URL to the usual places.

No surprise Protocol Labs aka protocol.ai is hosting the phishing site. Any of my abuse reporting has gone unanswered and ignored; with my observations of suspect and malicious activity being hosted there for over a year now.

https://github.com/obrientg/Analysis/blob/main/2025%2001%2015%20Subject%3A%20Your%20x%20password%20will%20expire

#incidentresponse #threatintel #threatinteligence #infosec #cybersecurity