🚀Create IOK: facebook-pl-f675021b + ✨ Rule name fix (#222)

* ✨ Rename rule filename to reflect title of rule Rename rule filename to reflect title of rule * 🚀Create IOK: facebook-pl-f675021b Create facebook-pl-f675021b.yml * ✨ Update facebook-pl-7d71c1c detection logic Update facebook-pl-7d71c1c detection logic * ✨ Update facebook-pl-7d71c1c Remove old reference that was valid. However due to URLScan not being able to retrieve the DOM anymore it no longer 'matches' the rules from IOK's POV --------- Co-authored-by: Bradley Kemp <bradleyjkemp@users.noreply.github.com>
phish-report · Oct 27, 2023 · c05c498 · c05c498
1 parent b62ccb7
commit c05c498
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 32 deletions.
diff --git a/indicators/facebook-pl-7d71c1c.yml b/indicators/facebook-pl-7d71c1c.yml
@@ -0,0 +1,29 @@
+title: Facebook Phishing Kit 7d71c1c
+description: |
+    Detects a Facebook phishing kit targeting 
+    Polish speaking users. Using the same Google
+    Tag ID across every domain deploying this kit
+    and using the same name for the logo file.
+    
+references:
+    - https://urlscan.io/result/4467573b-d13a-4f2c-85df-5dbce3de9eda
+    - https://urlscan.io/result/7d71c1c0-da74-41bf-b4c7-25e9ba421f1e
+    - https://urlscan.io/result/d4890e94-a7e6-4b9a-b4b2-fab8eaa3ccc3
+
+detection:
+
+    logo:
+      requests|contains: 'fb4.png'
+
+    googleTagId:
+      dom|contains: 'UA-178388451-1'
+
+    invalidStylesheetReference:
+      dom|contains: 'https://fonts.googlay=swap'
+
+    condition: logo and googleTagId and invalidStylesheetReference
+
+tags:
+  - target.facebook
+  - target_country.poland
+
diff --git a/indicators/facebook-pl-d71c1c.yml b/indicators/facebook-pl-d71c1c.yml
diff --git a/indicators/facebook-pl-f675021b.yml b/indicators/facebook-pl-f675021b.yml
@@ -0,0 +1,29 @@
+title: Facebook Phishing Kit f675021b
+description: |
+    Detects a Facebook phishing kit targeting Polish users.
+
+references:
+  - https://urlscan.io/result/f675021b-9b3d-4729-885d-796c2b42433d
+  - https://urlscan.io/result/3fc04106-e4aa-41ab-824e-a9e364cff5dc
+  - https://urlscan.io/result/5bad220a-d5ed-479e-b00d-bd6e875d4fa8
+
+detection:
+
+    facebookLogo:
+      requests|contains: '/img/logo-fb.png'
+
+    mainPage:
+      requests|contains: 'authorize.php'
+
+    formAction:
+      dom|contains: '/savetofile.php'
+
+    bootstrapCSSHash:
+      dom|contains: '1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3'
+
+    condition: facebookLogo and mainPage and formAction and bootstrapCSSHash
+
+tags:
+  - kit
+  - target.facebook
+  - target_country.poland