From c05c4980a5e986d71d13362a6732101657e21ca6 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Fri, 27 Oct 2023 17:16:40 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80Create=20IOK:=20facebook-pl-f675021?=
 =?UTF-8?q?b=20+=20=E2=9C=A8=20Rule=20name=20fix=20(#222)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ✨ Rename rule filename to reflect title of rule

Rename rule filename to reflect title of rule

* 🚀Create IOK: facebook-pl-f675021b

Create facebook-pl-f675021b.yml

* ✨ Update facebook-pl-7d71c1c detection logic

Update facebook-pl-7d71c1c detection logic

* ✨ Update facebook-pl-7d71c1c

Remove old reference that was valid. However due to URLScan not being able to retrieve the DOM anymore it no longer 'matches' the rules from IOK's POV

---------

Co-authored-by: Bradley Kemp <bradleyjkemp@users.noreply.github.com>
---
 indicators/facebook-pl-7d71c1c.yml  | 29 ++++++++++++++++++++++++++
 indicators/facebook-pl-d71c1c.yml   | 32 -----------------------------
 indicators/facebook-pl-f675021b.yml | 29 ++++++++++++++++++++++++++
 3 files changed, 58 insertions(+), 32 deletions(-)
 create mode 100644 indicators/facebook-pl-7d71c1c.yml
 delete mode 100644 indicators/facebook-pl-d71c1c.yml
 create mode 100644 indicators/facebook-pl-f675021b.yml

diff --git a/indicators/facebook-pl-7d71c1c.yml b/indicators/facebook-pl-7d71c1c.yml
new file mode 100644
index 00000000..9c51638f
--- /dev/null
+++ b/indicators/facebook-pl-7d71c1c.yml
@@ -0,0 +1,29 @@
+title: Facebook Phishing Kit 7d71c1c
+description: |
+    Detects a Facebook phishing kit targeting 
+    Polish speaking users. Using the same Google
+    Tag ID across every domain deploying this kit
+    and using the same name for the logo file.
+    
+references:
+    - https://urlscan.io/result/4467573b-d13a-4f2c-85df-5dbce3de9eda
+    - https://urlscan.io/result/7d71c1c0-da74-41bf-b4c7-25e9ba421f1e
+    - https://urlscan.io/result/d4890e94-a7e6-4b9a-b4b2-fab8eaa3ccc3
+
+detection:
+
+    logo:
+      requests|contains: 'fb4.png'
+      
+    googleTagId:
+      dom|contains: 'UA-178388451-1'
+
+    invalidStylesheetReference:
+      dom|contains: 'https://fonts.googlay=swap'
+   
+    condition: logo and googleTagId and invalidStylesheetReference
+
+tags:
+  - target.facebook
+  - target_country.poland
+
diff --git a/indicators/facebook-pl-d71c1c.yml b/indicators/facebook-pl-d71c1c.yml
deleted file mode 100644
index c8eea3e1..00000000
--- a/indicators/facebook-pl-d71c1c.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-title: Facebook Phishing Kit 7d71c1c
-description: |
-    Detects a Facebook phishing kit targeting 
-    Polish speaking users. Using the same login
-    form structure across all domains as well 
-    as using the same name for the logo file.
-    
-references:
-    - https://urlscan.io/result/4467573b-d13a-4f2c-85df-5dbce3de9eda
-    - https://urlscan.io/result/7d71c1c0-da74-41bf-b4c7-25e9ba421f1e
-    - https://urlscan.io/result/d4890e94-a7e6-4b9a-b4b2-fab8eaa3ccc3
-    - https://urlscan.io/result/dc6ff99f-d94c-4a7a-9337-af606fd6be21
-
-
-detection:
-
-    logo:
-      requests|contains: 'fb4.png'
-
-    loginElement:
-      html|contains|all:
-        - '<div class="loginbox">'
-        - '<input type="text" name="email" placeholder="Numer telefonu komórkowego lub adres e-mail"> <br>'
-        - '<input type="password" name="pass" placeholder="Hasło"> <br>'
-        - '<input type="submit" name="get" value="Zaloguj siÄ™"> <br>'
-   
-    condition: logo and loginElement
-
-tags:
-  - target.facebook
-  - target_country.poland
-
diff --git a/indicators/facebook-pl-f675021b.yml b/indicators/facebook-pl-f675021b.yml
new file mode 100644
index 00000000..43de0a72
--- /dev/null
+++ b/indicators/facebook-pl-f675021b.yml
@@ -0,0 +1,29 @@
+title: Facebook Phishing Kit f675021b
+description: |
+    Detects a Facebook phishing kit targeting Polish users.
+
+references:
+  - https://urlscan.io/result/f675021b-9b3d-4729-885d-796c2b42433d
+  - https://urlscan.io/result/3fc04106-e4aa-41ab-824e-a9e364cff5dc
+  - https://urlscan.io/result/5bad220a-d5ed-479e-b00d-bd6e875d4fa8
+
+detection:
+
+    facebookLogo:
+      requests|contains: '/img/logo-fb.png'
+
+    mainPage:
+      requests|contains: 'authorize.php'
+
+    formAction:
+      dom|contains: '/savetofile.php'
+
+    bootstrapCSSHash:
+      dom|contains: '1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3'
+
+    condition: facebookLogo and mainPage and formAction and bootstrapCSSHash
+
+tags:
+  - kit
+  - target.facebook
+  - target_country.poland