├── iok_test.go
├── logsource.yml
├── indicators
├── remitly-47bfa74f.yml
├── bazhanwang-website-copier.yml
├── generic-email-ec34bc68.yml
├── okta-6a6c442.yml
├── shopify-NCv2F.yml
├── shopify-YgjX6.yml
├── royal-mail-dccfe2d7.yml
├── royal-mail-cd74ee99.yml
├── shopify-45ca55e3.yml
├── shopify-c546c6a9.yml
├── hex-encoded-body.yml
├── singlefile.yml
├── etherscan-253344b.yml
├── rot13-encoded-body.yml
├── getform-io.yml
├── formpost-app.yml
├── formspree-io.yml
├── formsubmit-co.yml
├── nocodeform-io.yml
├── actionforms-io.yml
├── twitter-91a19aa.yml
├── form2chat-io.yml
├── facebook-6c79b.yml
├── themetags-template-service.yml
├── webscrapbook-cloner.yml
├── mobirise-website-builder.yml
├── steam-8c89c4f.yml
├── toastrjs-crypto-drainer-0d0f9db.yml
├── metamask-604ec65.yml
├── microsoft-b3fcc7b.yml
├── recaptcha.yml
├── cazanova-cookie.yml
├── ipapi-co.yml
├── facebook-54b8f7e.yml
├── generic-crypto-0694191.yml
├── generic-scam-3ei9ur8a.yml
├── mark-of-the-web.yml
├── anpost-7b94e511.yml
├── coinsbit-a4a01a8.yml
├── paypal-6c455a6.yml
├── dibae-e6f3d238.yml
├── discord-nitro-7a09ee6.yml
├── testcookie-nginx-module.yml
├── credicard-7246c9c.yml
├── royal-mail-GbyBld.yml
├── facebook-pl-5b1aed4d.yml
├── spankki-d612de8e.yml
├── shopify-89NDeg.yml
├── bookmark-grabber-f6a19cec.yml
├── ionos-45d7f514.yml
├── nordpass-79fa7dc3.yml
├── shopify-f7Ejw.yml
├── steam-JcQRrby.yml
├── vystar-creditunion-084ea74.yml
├── 123-reg-63c26.yml
├── banco-falabella-5fed617.yml
├── data-content-attribute-obfuscation.yml
├── facebook-9z3vzzzj2s.yml
├── etc-e623c655.yml
├── webflow-website-creator.yml
├── avis-0fbd3ca.yml
├── base64-encoded-body.yml
├── coinbase-69638f20.yml
├── submit-form-com.yml
├── coinbase-zG3nVT0g.yml
├── santander-d639dea.yml
├── base64-url-encoded-body.yml
├── class-attribute-obfuscation.yml
├── generic-crypto-f634ac3.yml
├── m3dular-ea8f67e.yml
├── trkrsrvrdb-crypto-drainer-14658cf1.yml
├── steam-4540135.yml
├── steam-4f8189ec.yml
├── banco-de-la-nacion-0blz45du.yml
├── fake-chrome-error.yml
├── smbc-10ddf87.yml
├── commbank-d69bdec1.yml
├── santander-951d27d.yml
├── dhl-27b89b9e.yml
├── microsoft-outlook-9e75296.yml
├── account-deletion-countdown.yml
├── smbc-9776441.yml
├── steam-ee34fa99.yml
├── fauxmoralis-6a3cac21.yml
├── luno-exchange-beb8d53.yml
├── transferwise-d777126.yml
├── facebook-83d65db.yml
├── facebook-account-recovery-0e420f8.yml
├── mystic-stealer-88b6ef2f.yml
├── steam-de077e20.yml
├── bbva-dd072db.yml
├── httrack.yml
├── meta-506188c.yml
├── bancolombia-68a8d3f.yml
├── ficohsa-39e336ff.yml
├── spox-chase-8b20b051.yml
├── crew3-crypto-drainer-0827f6e1.yml
├── facebook-2b493308.yml
├── interfisa-banco-rw6n5v.yml
├── microsoft-be5a6fa.yml
├── nuevo-banco-del-chaco-ri0z68ca.yml
├── bookmark-grabber-bf623f6.yml
├── amadey-botnet-afb0c86a.yml
├── fake-crypto-mining-arbitrageProducts.yml
├── santander-85b6cae.yml
├── banco-de-galicia-bd53a32.yml
├── opensea-389-9bec97c22fa2e411.yml
├── steam-tu2yq4ic.yml
├── finesse-crypto-drainer-9c933ae7.yml
├── hsbc-ea738a3.yml
├── pagopa-197bb96bc.yml
├── visa-dff000d.yml
├── facebook-e9da0f06.yml
├── gomorrah-stealer-9bead31e.yml
├── patelco-48ba653f.yml
├── netflix-n3s7h9g2.yml
├── facebook-54b8f7e-landing.yml
├── credicorp-bank-du47yo.yml
├── discord-ee3f9f72.yml
├── banco-davivienda-067fef0.yml
├── rakuten-1f160470.yml
├── smbc-acab82b5.yml
├── webmail-27971b3a.yml
├── scotiabank-76fc8cb.yml
├── m&t-bank-6b1866b8.yml
├── microsoft-EwNaWJpB.yml
├── uol-mail-6xm0cu.yml
├── fake-crypto-mining-inviteRequired.yml
├── banco-de-la-republica-g5d6u78z.yml
├── international-card-services.yml
├── hardteam-crypto-drainer-f42d93a4.yml
├── bank-of-america-a53b161.yml
├── github-helopbs-03d6d129.yml
├── adobe-5c70696.yml
├── banco-del-pacifico-1kzes5jt.yml
├── bbva-k3dums5h.yml
├── fake-crypto-giveaway-cbn4xt8m.yml
├── metamask-06f6d4f9.yml
├── telekom-deutschland-34f36ea7.yml
├── usps-9514901.yml
├── ark-investment-crypto-3465f6c.yml
├── microsoft-tech-support-0589be7.yml
├── microsoft-tech-support-jp-d94c3cf.yml
├── banco-de-galicia-vyk7k7oo.yml
├── facebook-pl-f675021b.yml
├── banco-cuscatlan-sdtltm.yml
├── mygovau-d0a5f9fd.yml
├── 1password-191635.yml
├── banco-promerica-ef73ish1.yml
├── settingsjs-crypto-drainer-d810a56.yml
├── coinbase-5d238ea1.yml
├── instagram-appeal-510emm.yml
├── rhadamanthys-stealer-26461dbb.yml
├── saison-b85570be.yml
├── facebook-07c20f69.yml
├── lokibot-stealer-b5463607.yml
├── coinbase-cf711368.yml
├── microsoft-544eva7.yml
├── office-365-l03ttm.yml
├── discord-664a17b.yml
├── exodus-wallet.yml
├── facebook-vt-887906f.yml
├── fake-crypto-mining-noChrome.yml
├── tuya-redirect-4ewqnc.yml
├── dpd-1550312.yml
├── facebook-appeal-91f3caf.yml
├── instagram-copyright-yzvbov.yml
├── facebook-parachute.yml
├── rusc-crypto-drainer-f4180c6.yml
├── fake-crypto-mining-MiningPool.yml
├── outlook-hco41m.yml
├── microsoft-outlook-142e470f.yml
├── banco-santa-fe-9d6d57a2.yml
├── facebook-pl-7d71c1c.yml
├── tokenup-crypto-scam.yml
├── banco-atlantida-dxde4jyt.yml
├── discord-fake-error-43143a94.yml
├── instagram-ag0soj.yml
├── navyfederal-7fh9xqpk.yml
├── suncoastcu-4c74e401.yml
├── kimsuky-nginx-fake-error-9b43f670.yml
├── valorant-landing-page-7plil474.yml
├── ups-69b689e.yml
├── bbva-aeng1e8e.yml
├── facebook-9dda3b8f.yml
├── discord-9e6c4a9.yml
├── kucoin-8fo0kgp3.yml
├── asli-crypto-drainer-ea8f67e.yml
├── fake-404-page.yml
├── scotiabank-TYnAqzTX.yml
├── pagopa-019638cd.yml
├── bank-of-america-kgzrkd.yml
├── generic-latin-america-bank-c419e0d.yml
├── facebook-d47226ee.yml
├── bancor-5bb0b5u3.yml
├── instagram-tpexkd.yml
├── banco-del-pacifico-bl54hwhz.yml
├── dhl-f8e6d46.yml
├── smu-crypto-drainer-d9da4dc1.yml
├── daviplata-jwl1yd.yml
├── drainer-Iil1il-crypto-scam.yml
├── banco-de-galicia-npy0f6km.yml
├── discord-4ek3us.yml
├── fake-crypto-mining-ReceiveVoucher3.yml
├── roblox-survey-scam-9170a30d.yml
├── imbetter-stealer-1f52021a.yml
├── roblox-8l0pamh6.yml
├── amazon-jp-28bd59a.yml
├── amazon-token-cryptocurrency-scam-shfxgk.yml
├── crypto-monkey-drainer-65ftuybhy.yml
├── fake-crypto-trading-warmReminder.yml
├── amerant-bank-4tfevg.yml
├── fake-crypto-mining-ReceiveVoucher4.yml
├── fake-crypto-mining-ReceiveVoucher.yml
├── fake-crypto-trading-yuebaoIndex.yml
├── generic-crypto-scam-dd1f3101.yml
├── microsoft-fyfcvk8e.yaml
├── banco-de-galicia-2mo4sf.yml
├── valorant-7plil474.yml
├── bookmark-grabber-d7eb986c.yml
├── chenlun-88426540.yml
├── facebook-7c475854.yml
├── mufg-483cbea7.yml
├── discord-oauth2-scam-u8eviyps.yml
├── unibank-njdemh.yml
├── westpac-c5c1bfe0.yml
├── microsoft-rxkr4n3b.yml
├── avvillas-a5lnamb9.yml
├── apple-icloud-467ab986.yml
├── microsoft-zuu2wvfc.yml
├── anz-bank-cd6ec9e7.yml
├── banco-pichincha-niug0z.yml
├── bancolombia-jr5mnv.yml
└── bancolombia-nfimdx.yml
├── .github
└── workflows
│ ├── go.yml
│ └── rules.yml
├── go.mod
├── tools
└── urlscan-iok
│ └── urlscan-iok.go
└── urlscanio_test.go
/iok_test.go:
--------------------------------------------------------------------------------
1 | package iok
2 |
3 | import "testing"
4 |
5 | // A dummy test just to ensure that the iok.go init functions don't panic
6 | func Test(t *testing.T) {}
7 |
--------------------------------------------------------------------------------
/logsource.yml:
--------------------------------------------------------------------------------
1 | title: Sigma config for use with the phish.report/IOK library
2 | backends:
3 | - github.com/bradleyjkemp/sigma-go
4 |
5 | fieldmappings:
6 | title: $.title[*]
7 | js: $.js[*]
8 | css: $.css[*]
9 | cookies: $.cookies[*]
10 | headers: $.headers[*]
11 | requests: $.requests[*]
12 |
--------------------------------------------------------------------------------
/indicators/remitly-47bfa74f.yml:
--------------------------------------------------------------------------------
1 | title: Remitly Phishing Kit 47bfa74f
2 | references:
3 | - https://urlscan.io/result/47bfa74f-3efb-4dd1-b9ec-a9a862cf6a5b
4 |
5 | detection:
6 | httrack:
7 | html|contains: ""
8 |
9 | condition: httrack
10 |
11 | tags:
12 | - kit
13 | - target.remitly
14 |
--------------------------------------------------------------------------------
/indicators/bazhanwang-website-copier.yml:
--------------------------------------------------------------------------------
1 | title: BazhanWang Website Copier
2 | description: |
3 | Detects the BazhanWang website copier.
4 |
5 | references:
6 | - https://urlscan.io/result/09890a1d-f314-4409-9ce8-75d4980361f5/
7 |
8 | detection:
9 |
10 | copierSignature:
11 | html|contains: ''
12 |
13 | condition: copierSignature
14 |
15 | tags:
16 | - cloning
17 |
--------------------------------------------------------------------------------
/indicators/generic-email-ec34bc68.yml:
--------------------------------------------------------------------------------
1 | title: Generic Email ec34bc68
2 | description: |
3 | A generic email phishing kit loading CSS from an appspot project using a hard-coded access token.
4 | references:
5 | - https://urlscan.io/result/67743b55-f830-49e6-b71e-2fc71e4b8914/
6 | detection:
7 | bootstrapToken:
8 | requests|contains: 'bootstrap.min.css?alt=media&token=ec34bc68-b721-48e5-a02a-8deed9a44325'
9 |
10 | condition: bootstrapToken
11 |
--------------------------------------------------------------------------------
/indicators/okta-6a6c442.yml:
--------------------------------------------------------------------------------
1 | title: Camouflaged Okta kit (old)
2 | description: |
3 | An older version of the Okta phishing kit [described here](https://phish.report/IOK/indicators/okta-5844ad4)
4 | related:
5 | - id: okta-5844ad4
6 | detection:
7 | jsChunks:
8 | requests|contains|all:
9 | - _nuxt/6a6c442.js
10 | - _nuxt/d795c50.js
11 |
12 | condition: jsChunks
13 |
14 | tags:
15 | - kit
16 | - target.okta
17 |
--------------------------------------------------------------------------------
/indicators/shopify-NCv2F.yml:
--------------------------------------------------------------------------------
1 | title: Shopify phishing kit NCv2F
2 | description: |
3 | Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.
4 | references:
5 | - https://urlscan.io/result/63289b3a-190b-494d-8f58-fca3394dc2c9
6 |
7 | detection:
8 | nonce:
9 | html|contains: 'nonce="NCv2FFfdPZWddG+A/Zi5yTs/nZJyLqZDkwaDP81TGJ4="'
10 |
11 | condition: nonce
12 |
13 | tags:
14 | - kit
15 | - target.shopify
16 |
--------------------------------------------------------------------------------
/indicators/shopify-YgjX6.yml:
--------------------------------------------------------------------------------
1 | title: Shopify phishing kit YgjX6
2 | description: |
3 | Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.
4 | references:
5 | - https://urlscan.io/result/a6cfccfc-0f7e-4609-9f29-4d14276813f1
6 |
7 | detection:
8 | nonce:
9 | html|contains: 'nonce="YgjX6ESY7Epmq2JvWnoY7nPjsTKrDju2KP3CtnBB+ds="'
10 |
11 | condition: nonce
12 |
13 | tags:
14 | - kit
15 | - target.shopify
16 |
--------------------------------------------------------------------------------
/indicators/royal-mail-dccfe2d7.yml:
--------------------------------------------------------------------------------
1 | title: Royal Mail Phishing Kit dccfe2d7
2 | description: |
3 | Detects a Royal Mail phishing kit claiming that "a parcel cost £ 0.9 Payment failed"
4 |
5 | references:
6 | - https://urlscan.io/result/2e24e3be-de40-4eb4-bae3-7365c0076902
7 |
8 | detection:
9 | selection:
10 | requests|contains: app.dccfe2d7.css
11 | condition: selection
12 |
13 | tags:
14 | - kit
15 | - target.royal-mail
16 | - target_country.uk
17 |
--------------------------------------------------------------------------------
/indicators/royal-mail-cd74ee99.yml:
--------------------------------------------------------------------------------
1 | title: Royal Mail Phishing Kit cd74ee99
2 | description: |
3 | Detects a Royal Mail phishing kit claiming that there are "issues with your shipping address"
4 |
5 | references:
6 | - https://urlscan.io/result/739b68d2-fd6b-460c-b9b3-7256b3c3cd07
7 |
8 | detection:
9 | selection:
10 | requests|contains: app.cd74ee99.css
11 | condition: selection
12 |
13 | tags:
14 | - kit
15 | - target.royal-mail
16 | - target_country.uk
17 |
--------------------------------------------------------------------------------
/indicators/shopify-45ca55e3.yml:
--------------------------------------------------------------------------------
1 | title: Shopify phishing kit 45ca55e3
2 | description: |
3 | Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.
4 | references:
5 | - https://urlscan.io/result/ad736505-fb24-4ecd-9b94-3dc301608371
6 |
7 | detection:
8 | deviceID:
9 | html|contains: 'data-trekkie-device-id="45ca55e3-e43e-4b13-b123-6d86ca72d41a"'
10 |
11 | condition: deviceID
12 |
13 | tags:
14 | - kit
15 | - target.shopify
16 |
--------------------------------------------------------------------------------
/indicators/shopify-c546c6a9.yml:
--------------------------------------------------------------------------------
1 | title: Shopify phishing kit c546c6a9
2 | description: |
3 | Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.
4 | references:
5 | - https://urlscan.io/result/401d6161-cb5d-4e15-a9ac-20cf0a3ba857
6 |
7 | detection:
8 | deviceID:
9 | html|contains: 'data-trekkie-device-id="c546c6a9-c197-40d4-817c-9fc681c519e9"'
10 |
11 | condition: deviceID
12 |
13 | tags:
14 | - kit
15 | - target.shopify
16 |
--------------------------------------------------------------------------------
/indicators/hex-encoded-body.yml:
--------------------------------------------------------------------------------
1 | title: Hex-encoded document body
2 | description: |
3 | To evade static analysis, the document body can returned hex encoded in the response
4 | where JavaScript can decode it and append it to the DOM.
5 |
6 | This helps defeat simple scanners which don't evaluate JavaScript.
7 |
8 | detection:
9 | documentWriteUnescape:
10 | html|contains: "document.write(unescape("
11 |
12 | condition: documentWriteUnescape
13 |
14 | tags:
15 | - anti-analysis
16 |
--------------------------------------------------------------------------------
/indicators/singlefile.yml:
--------------------------------------------------------------------------------
1 | title: SingleFile website cloner
2 | description: |
3 | SingleFile is a Chrome extension allowing you to save a complete webpage (HTML, CSS, JS, etc.) into a single file.
4 |
5 | references:
6 | - https://chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle?hl=en
7 |
8 | detection:
9 | singlefileComment:
10 | html|contains:
11 | - "Page saved with SingleFile"
12 | condition: singlefileComment
13 |
14 | tags:
15 | - cloning
16 |
--------------------------------------------------------------------------------
/indicators/etherscan-253344b.yml:
--------------------------------------------------------------------------------
1 | title: Etherscan Crypto Phishing Kit 253344b
2 | description: |
3 | Detects a phishing kit targeting users of Etherscan.
4 |
5 | references:
6 | - https://urlscan.io/result/253344bb-8f9f-4ac6-8449-a2730776d9b6
7 |
8 | detection:
9 |
10 | jsCode:
11 | js|contains: 'api.php?sendValue'
12 |
13 | localStorageItem:
14 | js|contains: 'urcheckacstate'
15 |
16 | condition: jsCode and localStorageItem
17 |
18 | tags:
19 | - kit
20 | - target.etherscan
21 |
--------------------------------------------------------------------------------
/.github/workflows/go.yml:
--------------------------------------------------------------------------------
1 | name: Go
2 | on:
3 | push:
4 | branches: [ main ]
5 | pull_request:
6 | branches: [ main ]
7 |
8 | jobs:
9 | build-and-test:
10 | name: Unit tests
11 | runs-on: ubuntu-latest
12 | steps:
13 | - name: Set up Go 1.x
14 | uses: actions/setup-go@v2
15 | with:
16 | go-version: ^1.18
17 |
18 | - name: Check out code into the Go module directory
19 | uses: actions/checkout@v2
20 |
21 | - name: Test
22 | run: go test -v ./...
23 |
--------------------------------------------------------------------------------
/indicators/rot13-encoded-body.yml:
--------------------------------------------------------------------------------
1 | title: rot13 encoded body
2 | description: |
3 | To evade static analysis, the document body can returned with each character rotated by
4 | some fixed amount in the response where JavaScript can decode it and append it to the DOM.
5 |
6 | This helps defeat simple scanners which don't evaluate JavaScript.
7 |
8 | detection:
9 | characterRotation:
10 | html|contains: "String.fromCharCode(s.charCodeAt(i)-1)"
11 |
12 | condition: characterRotation
13 |
14 | tags:
15 | - anti-analysis
16 |
--------------------------------------------------------------------------------
/indicators/getform-io.yml:
--------------------------------------------------------------------------------
1 | title: Exfiltration using getform.io
2 | description: |
3 | getform is a service that takes HTML form submissions and sends the results to an email address.
4 |
5 | It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
6 | related:
7 | - id: formspree-io
8 |
9 | detection:
10 | formAction:
11 | html|contains: "action=\"https://getform.io/f/"
12 | condition: formAction
13 |
14 | tags:
15 | - exfiltration
16 |
--------------------------------------------------------------------------------
/indicators/formpost-app.yml:
--------------------------------------------------------------------------------
1 | title: Exfiltration using formpost.app
2 | description: |
3 | formpost.app is a service that takes HTML form submissions and sends the results to an email address.
4 |
5 | It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
6 | related:
7 | - id: getform-io
8 |
9 | detection:
10 | formAction:
11 | html|contains: "action=\"https://formpost.app/"
12 | condition: formAction
13 |
14 | tags:
15 | - exfiltration
16 |
--------------------------------------------------------------------------------
/indicators/formspree-io.yml:
--------------------------------------------------------------------------------
1 | title: Exfiltration using formspree.io
2 | description: |
3 | Formspree is a service that takes HTML form submissions and sends the results to an email address.
4 |
5 | It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
6 | related:
7 | - id: getform-io
8 |
9 | detection:
10 | formAction:
11 | html|contains: "action=\"https://formspree.io/f/"
12 | condition: formAction
13 |
14 | tags:
15 | - exfiltration
16 |
--------------------------------------------------------------------------------
/indicators/formsubmit-co.yml:
--------------------------------------------------------------------------------
1 | title: Exfiltration using FormSubmit.co
2 | description: |
3 | FormSubmit is a service that takes HTML form submissions and sends the results to an email address.
4 |
5 | It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
6 | related:
7 | - id: getform-io
8 |
9 | detection:
10 | formAction:
11 | html|contains: "action=\"https://formsubmit.co/"
12 | condition: formAction
13 |
14 | tags:
15 | - exfiltration
16 |
--------------------------------------------------------------------------------
/indicators/nocodeform-io.yml:
--------------------------------------------------------------------------------
1 | title: Exfiltration using NoCodeForm
2 | description: |
3 | NoCodeForm is a service that takes HTML form submissions and sends the results to an email address.
4 |
5 | It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
6 | related:
7 | - id: getform-io
8 |
9 | detection:
10 | formAction:
11 | html|contains: "action=\"https://nocodeform.io/f/"
12 | condition: formAction
13 |
14 | tags:
15 | - exfiltration
16 |
--------------------------------------------------------------------------------
/indicators/actionforms-io.yml:
--------------------------------------------------------------------------------
1 | title: Exfiltration using ActionForms
2 | description: |
3 | ActionForms is a service that takes HTML form submissions and sends the results to an email address.
4 |
5 | It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
6 | related:
7 | - id: getform-io
8 |
9 | detection:
10 | formAction:
11 | html|contains: "action=\"https://www.actionforms.io/e/r/"
12 | condition: formAction
13 |
14 | tags:
15 | - exfiltration
16 |
--------------------------------------------------------------------------------
/indicators/twitter-91a19aa.yml:
--------------------------------------------------------------------------------
1 | title: Twitter Phishing Kit 91a19aa
2 | description: |
3 | Detects a phishing kit developed by a Turkish actor
4 | targeting users of Twitter.
5 |
6 | detection:
7 | pageFavicon:
8 | html|contains: 'https://www.imajkoruma.com/wp-content/uploads/2019/02/twitter.png'
9 |
10 | formDefinition:
11 | html|contains|all:
12 | - 'name="girisFormu"'
13 | - 'action="login.php"'
14 |
15 | condition: pageFavicon and formDefinition
16 |
17 | tags:
18 | - kit
19 | - target.twitter
20 |
--------------------------------------------------------------------------------
/indicators/form2chat-io.yml:
--------------------------------------------------------------------------------
1 | title: Exfiltration using Form2Chat
2 | description: |
3 | Form2Chat is a service that takes HTML form submissions and sends the results to an email address or instant messenger service.
4 |
5 | It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
6 | related:
7 | - id: getform-io
8 |
9 | detection:
10 | formAction:
11 | html|contains: "https://app.form2chat.io/f/"
12 | condition: formAction
13 |
14 | tags:
15 | - exfiltration
16 |
--------------------------------------------------------------------------------
/indicators/facebook-6c79b.yml:
--------------------------------------------------------------------------------
1 | title: Facebook intellectual property infringment phishing kit 6c79b
2 | description: |
3 | A Facebook phishing kit themed around intellectual property infringement
4 |
5 | Observed being distributed by emailtosalesforce@[...].salesforce.com email addresses
6 | references:
7 | - https://urlscan.io/result/4bedbfd8-31f2-4719-85a5-069b72e266fd/
8 |
9 | detection:
10 | background:
11 | requests|contains: 'banner.6c79bf718e7d7de19193.png'
12 |
13 | condition: background
14 |
15 | tags:
16 | - kit
17 | - target.facebook
18 |
--------------------------------------------------------------------------------
/indicators/themetags-template-service.yml:
--------------------------------------------------------------------------------
1 | title: ThemeTags Template Service
2 | description: |
3 | Detects page templates made by ThemeTags.
4 | Services like this are commonly abused by phishing pages.
5 |
6 | references:
7 | - https://urlscan.io/result/54b8f7ec-22f8-416f-b253-213d28262587
8 | - https://urlscan.io/result/d45ebbf2-ecf0-4a83-a908-7c7d08522d1c
9 |
10 | detection:
11 |
12 | metaTagSig:
13 | html|contains: 'name="author" content="ThemeTags"'
14 |
15 | condition: metaTagSig
16 |
17 | tags:
18 | - template_service.themetags
19 |
--------------------------------------------------------------------------------
/indicators/webscrapbook-cloner.yml:
--------------------------------------------------------------------------------
1 | title: WebScrapBook website cloner
2 | description: |
3 | WebScrapBook is a chrome extension used by phishers to clone target websites.
4 |
5 | Github: https://github.com/danny0838/webscrapbook
6 |
7 | references:
8 | - https://chrome.google.com/webstore/detail/webscrapbook/oegnpmiddfljlloiklpkeelagaeejfai
9 |
10 | related:
11 | - id: httrack
12 | - id: savepage-we
13 |
14 | detection:
15 |
16 | htmlAttribute:
17 | html|contains: "data-scrapbook"
18 |
19 | condition: htmlAttribute
20 |
21 | tags:
22 | - cloning
23 |
--------------------------------------------------------------------------------
/indicators/mobirise-website-builder.yml:
--------------------------------------------------------------------------------
1 | title: Mobirise Website Builder
2 | description: |
3 | Detects signatures left behind by the Mobirise Website Builder.
4 |
5 | references:
6 | - https://mobirise.com
7 | - https://urlscan.io/result/0fbd3caa-14be-4565-ad9f-d11d7ec0fdf5
8 |
9 | detection:
10 |
11 | mobiriseSignature:
12 | html|contains|all:
13 | - 'Site made with Mobirise Website Builder'
14 | - 'https://mobirise.com'
15 |
16 | condition: mobiriseSignature
17 |
18 | tags:
19 | - website_builder
20 | - website_builder.mobirise
21 |
--------------------------------------------------------------------------------
/indicators/steam-8c89c4f.yml:
--------------------------------------------------------------------------------
1 | title: Steam Phishing Kit 8c89c4f
2 | description: |
3 | Steam phishing kit containing an image URL that only appears in phishing pages,
4 | additionally uses Discord Nitro as a lure.
5 |
6 | references:
7 | - https://urlscan.io/search/#hash%3A8c89c4f3023d02b04197a30ca20f42ca7eb2634e1432ffff7b9d641a1f71a066
8 |
9 | detection:
10 |
11 | image:
12 | html|contains: 'https://cdn.discordapp.com/attachments/818120722869911602/883999740071657542/nitro.png'
13 |
14 | condition: image
15 |
16 | tags:
17 | - kit
18 | - target.steam
19 |
--------------------------------------------------------------------------------
/indicators/toastrjs-crypto-drainer-0d0f9db.yml:
--------------------------------------------------------------------------------
1 | title: ToastrJS Crypto Drainer 0d0f9db
2 | description: |
3 | Detects a crypto drainer.
4 |
5 | references:
6 | - https://urlscan.io/result/0d0f9dbc-de02-4ba7-b141-90938b828c82
7 | - https://urlscan.io/result/d83511c9-e75f-4b58-a06f-6b093eed01d3
8 |
9 | detection:
10 |
11 | fileName:
12 | requests|contains: 'toastr.js'
13 |
14 | faviconSrc:
15 | html|contains: 'bootcs.com/fav.ico'
16 |
17 | condition: fileName and faviconSrc
18 |
19 | tags:
20 | - cryptocurrency
21 | - cryptocurrency.ethereum
22 |
--------------------------------------------------------------------------------
/indicators/metamask-604ec65.yml:
--------------------------------------------------------------------------------
1 | title: Metamask Phishing Kit 604ec65
2 | description: |
3 | Metamask Phishing kit that uses WebFlow.
4 | Allowing us to flag it due to it having the same WebFlow site key for each phish.
5 |
6 | references:
7 | - https://urlscan.io/result/8953ff2a-f891-40cb-9310-7edab6f0876a
8 | - https://urlscan.io/result/b4830e43-ef8c-40ac-b4d7-ddf540f2c43b
9 |
10 | detection:
11 |
12 | webFlowSiteKey:
13 | html|contains: 'data-wf-site="604ec65d7935b45ce251b35e"'
14 |
15 | condition: webFlowSiteKey
16 |
17 | tags:
18 | - kit
19 | - target.metamask
20 |
--------------------------------------------------------------------------------
/indicators/microsoft-b3fcc7b.yml:
--------------------------------------------------------------------------------
1 | title: Microsoft Phishing Kit b3fcc7b
2 | description: |
3 | Detects a Microsoft phishing kit targeting
4 | Spanish speaking users.
5 |
6 | references:
7 | - https://urlscan.io/result/b3fcc7b6-3193-418a-8a8c-0989d448fb94
8 |
9 | detection:
10 |
11 | hiddenFormID:
12 | html|contains: 'idmedu129'
13 |
14 | formElementIDs:
15 | html|contains|all:
16 | - 'nm1'
17 | - 'nm2'
18 | - 'contenido1'
19 |
20 | condition: hiddenFormID and formElementIDs
21 |
22 | tags:
23 | - kit
24 | - target.microsoft
25 |
--------------------------------------------------------------------------------
/indicators/recaptcha.yml:
--------------------------------------------------------------------------------
1 | title: reCAPTCHA
2 | description: To make it harder to analysts to get a good capture of a phishing site, some are using Google's reCAPTCHA service.
3 | references:
4 | - https://developers.google.com/recaptcha/docs/display
5 |
6 | detection:
7 | buttonElement:
8 | html|contains|all:
9 | - "g-recaptcha"
10 | - "data-sitekey"
11 |
12 | programmaticInvoke:
13 | js|contains:
14 | - "grecaptcha.execute("
15 | - "grecaptcha.render("
16 |
17 | condition: buttonElement or programmaticInvoke
18 |
19 | tags:
20 | - anti-analysis
21 |
--------------------------------------------------------------------------------
/indicators/cazanova-cookie.yml:
--------------------------------------------------------------------------------
1 | title: Cazanova Phishing Kit
2 | description: |
3 | Cazanova is the alias of a prolific phishing kit creator.
4 | Lucky for us, they like to sign their work by using `cazanova` for their cookie name rather than the default `PHPSESSID`,
5 | which makes it simple to identify their work.
6 |
7 | references:
8 | - https://www.wmcglobal.com/blog/cazanova-morphine-kit-deep-dive
9 |
10 | detection:
11 |
12 | cazanovaCookie:
13 | cookies|startswith: "cazanova="
14 |
15 | condition: cazanovaCookie
16 |
17 | tags:
18 | - kit
19 | - threat_actor.cazanova
20 |
--------------------------------------------------------------------------------
/indicators/ipapi-co.yml:
--------------------------------------------------------------------------------
1 | title: ipapi
2 | description: |
3 | ipapi is a GeoIP service allowing you to get the country code and other information from an IP address. It's regularly used by phishing kits which want to hide themselves to analysts outside the country they're targeting.
4 |
5 | This is a very naive approach (often the entire phishing site is loaded but then immediately redirected away from), but is often enough to evade basic sandboxes.
6 |
7 | detection:
8 | ipapiLookup:
9 | html|contains: "https://ipapi.co/"
10 |
11 | condition: ipapiLookup
12 |
13 | tags:
14 | - cloaking
15 |
--------------------------------------------------------------------------------
/indicators/facebook-54b8f7e.yml:
--------------------------------------------------------------------------------
1 | title: Facebook Phishing Kit 54b8f7e
2 | description: |
3 | Detects a Facebook phishing kit.
4 |
5 | references:
6 | - https://urlscan.io/result/d45ebbf2-ecf0-4a83-a908-7c7d08522d1c
7 |
8 | detection:
9 |
10 | formExfil:
11 | html|contains: 'rek.php'
12 |
13 | styleSheets:
14 | requests|contains|all:
15 | - 'becak.css'
16 | - 'galon.css'
17 |
18 | logoImage:
19 | requests|contains: 'https://i.ibb.co/T19ghq4/789.png'
20 |
21 | condition: formExfil and styleSheets and logoImage
22 |
23 | tags:
24 | - kit
25 | - target.facebook
26 |
--------------------------------------------------------------------------------
/indicators/generic-crypto-0694191.yml:
--------------------------------------------------------------------------------
1 | title: Generic Crypto Phishing Kit 0694191
2 | description: |
3 | Generic Crypto Scam phishing kit that includes a reference to
4 | the owner of the website via a HTML link tag
5 |
6 | references:
7 | - https://urlscan.io/result/8773a4dc-ccea-49f4-9d35-f907b76d662e
8 | - https://urlscan.io/result/0895fbf8-8802-49d3-8f5f-2e40df0ad1fa
9 |
10 | detection:
11 |
12 | relLinkBack:
13 | html|contains: 'https://www.blogger.com/profile/06941916716624837130'
14 |
15 | condition: relLinkBack
16 |
17 | tags:
18 | - kit
19 | - target.binance
20 | - target.tesla
21 |
--------------------------------------------------------------------------------
/indicators/generic-scam-3ei9ur8a.yml:
--------------------------------------------------------------------------------
1 | title: generic-scam-3ei9ur8a
2 | description: Generic scam in the form of a fake news page. Often hosted on pages.dev.
3 |
4 | references:
5 | - https://urlscan.io/result/3c7ccd8c-1119-4cbd-8ae5-7764347e1c95
6 | - https://urlscan.io/result/70980d2c-3436-44d7-8fe5-52b39a5ee771
7 | - https://urlscan.io/result/89602dcc-1ac4-4820-a65e-4f2077bbbaa2
8 |
9 | detection:
10 | pageTitle:
11 | title:
12 | - "Work At Home Special Report!"
13 | pageContains:
14 | html|contains: "Home Profit System"
15 | condition: pageTitle and pageContains
16 |
17 | tags:
18 | - kit
19 |
--------------------------------------------------------------------------------
/indicators/mark-of-the-web.yml:
--------------------------------------------------------------------------------
1 | title: Mark of the Web
2 | description: |
3 | The "Mark of the Web" is an Internet Explorer compatibility feature inserted into HTML by browsers when using their "Save webpage" feature.
4 |
5 | The comment includes the original URL that the HTML was cloned from.
6 | references:
7 | - https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537628(v=vs.85)?redirectedfrom=MSDN#what-is-the-mark-of-the-web
8 |
9 | detection:
10 | motw:
11 | html|contains: "'
17 |
18 | nonceCSP:
19 | html|contains: 'nonce="MjE2LDE0MCwxNzgsMTgwLDY1LDEwOCwxNCwyMjQ="'
20 |
21 | condition: developerSignature and nonceCSP
22 |
23 | tags:
24 | - kit
25 | - target.discord
26 | - threat_actor.strolly
27 |
--------------------------------------------------------------------------------
/indicators/kucoin-8fo0kgp3.yml:
--------------------------------------------------------------------------------
1 | title: KuCoin Phishing Kit 8fo0kgp3
2 | description: |
3 | Detects a KuCoin phishing kit deployed often on replit.com.
4 |
5 | references:
6 | - https://urlscan.io/result/768a3795-b37c-44c4-9ff3-8bd14dc0ec97
7 |
8 | detection:
9 |
10 | title:
11 | html|contains:
12 | - Iniciar Sesión | KuCoin
13 |
14 | form:
15 | html|contains|all:
16 | - form action="step.php" method="post"
17 | - class="cointer"
18 |
19 | loginEmail:
20 | html|contains|all:
21 | - Celular
22 | - | Email |
23 | - con codigo QR |
24 |
25 | loginPhone:
26 | html|contains|all:
27 | - Celular |
28 | - Email
29 | - con codigo QR |
30 |
31 | condition: title and form and (loginEmail or loginPhone)
32 |
33 | tags:
34 | - kit
35 | - target.kucoin
36 | - target_country.argentina
37 |
--------------------------------------------------------------------------------
/indicators/asli-crypto-drainer-ea8f67e.yml:
--------------------------------------------------------------------------------
1 | title: Asli Crypto Drainer ea8f67e
2 | description: |
3 | Detects a family of crypto drainers that utilises
4 | a similarly structured landing page.
5 |
6 | references:
7 | - https://urlscan.io/result/f930ba09-8c22-4b4f-8cfe-6506e1f01bfb
8 | - https://urlscan.io/result/168274a9-c66b-44c3-b7f8-ce6412a9b2d7
9 |
10 | detection:
11 |
12 | jQueryHash:
13 | html|contains: '894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ=='
14 |
15 | fakeTimeElement:
16 | html|contains: ''
17 |
18 | fakeText:
19 | html|contains|all:
20 | - 'PRE-SALE IS LIVE'
21 | - 'LIMITED SALE'
22 | - 'All other links are FAKE'
23 | - 'Thank you for your support and patience!'
24 |
25 |
26 | condition: jQueryHash and fakeTimeElement and fakeText
27 |
28 | tags:
29 | - threat_actor_country.china
30 | - crypto_drainer.asli
31 | - cryptocurrency
32 | - cryptocurrency.ethereum
33 |
--------------------------------------------------------------------------------
/tools/urlscan-iok/urlscan-iok.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "context"
5 | "flag"
6 | "fmt"
7 | "log"
8 | "net/http"
9 | "os"
10 | "os/signal"
11 | "syscall"
12 |
13 | iok "phish.report/IOK"
14 | )
15 |
16 | var uuid = flag.String("uuid", "", "[required] the urlscan.io result ID to scan for IOKs")
17 |
18 | func main() {
19 | flag.Parse()
20 | if *uuid == "" {
21 | flag.Usage()
22 | os.Exit(1)
23 | }
24 |
25 | ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGTERM)
26 | defer cancel()
27 | input, err := iok.InputFromURLScan(ctx, *uuid, http.DefaultClient)
28 | if err != nil {
29 | log.Fatal(err)
30 | }
31 |
32 | matches, err := iok.GetMatches(input)
33 | if err != nil {
34 | log.Fatal(err)
35 | }
36 |
37 | if len(matches) == 0 {
38 | fmt.Println("No matches!")
39 | return
40 | }
41 |
42 | fmt.Println("Matching indicators:")
43 | for _, match := range matches {
44 | fmt.Println("\t*", match.Title, "https://phish.report/IOK/indicators/"+match.ID)
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/indicators/fake-404-page.yml:
--------------------------------------------------------------------------------
1 | title: Fake Not Found page
2 | description: |
3 | A common way for phishing sites to avoid detection is by presenting a fake 404 error page when requested using the "wrong" User Agent (or from the wrong GeoIP location).
4 |
5 | These fake error pages exactly mimic the HTML of an Apache 404 page, but unless the threat actor has configured their site to hide it, there's two giveaways it's fake:
6 | - It sends an `X-Powered-By: PHP` header
7 | - It sets a `PHPSESSID` cookie
8 |
9 | These are both clear evidence that the 404 page has been generated by PHP and not by Apache.
10 |
11 | detection:
12 | notfoundPageFragments:
13 | html|contains:
14 | - "404 Not Found"
15 | - "The requested URL was not found on this server.
"
16 |
17 | phpHeader:
18 | headers|contains: "X-Powered-By: PHP"
19 |
20 | phpCookie:
21 | cookies|startswith: "PHPSESSID="
22 |
23 | condition: notfoundPageFragments and (1 of php*)
24 |
25 | tags:
26 | - cloaking
27 |
--------------------------------------------------------------------------------
/indicators/scotiabank-TYnAqzTX.yml:
--------------------------------------------------------------------------------
1 | title: Bank of Nova Scotia (Scotiabank) Phishing Kit TYnAqzTX
2 | description: |
3 | Detects a phishing kit for the Bank of Nova Scotia (Scotiabank) targeting Spanish speaking users.
4 | Deployed often on replit.com.
5 |
6 | references:
7 | - https://www.scotiaonline.scotiabank.com/
8 | - https://urlscan.io/result/1ec9979c-a03d-4466-9696-747e522b07d7/
9 | - https://urlscan.io/result/cb65e495-fc75-4536-94be-7831e04c4124/
10 | - https://urlscan.io/result/f3dd32bb-281d-4559-8679-2d287a26e7fd/
11 |
12 | detection:
13 |
14 | img:
15 | html|contains|all:
16 | - img src="img/war.svg"
17 | - img src="img/ojo.svg"
18 | - img src="img/depart.svg"
19 |
20 | script:
21 | html|contains:
22 | - script src="js/funciones.js"
23 |
24 | form:
25 | html|contains:
26 | -