IOK Rules

Shopify phishing kit 45ca55e3

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

Steam Phishing Kit 4f8189ec

Steam Phishing Kit that uses a fake Steam login window to steal user credentials.

Westpac Phishing Kit c5c1bfe0

Westpac phishing kit which uses the same CSS files and directory structure across various domains.

Discord/Steam Phishing Kit 0BFMGg

Detects a phishing kit impersonating Discord and targeting Steam with a fake popup that opens when the "Get Nitro" button is clicked. The site promises to give you a free Discord Nitro subscription. This phishing kit has been discovered by the FishFish.gg team.

Facebook Phishing Kit with peculiar opengraph tags

A Facebook phishing kit which includes some peculiar OpenGraph tags originally from https://www.jpl.nasa.gov/news/testing-proves-its-worth-with-successful-mars-parachute-deployment

Microsoft Phishing Kit zuu2wvfc

Detects a Microsoft phishing kit with a lot of entropy, making it easy to detect. Discovered as a result of this being deployed on Replit.com.

Coinbase Phishing Kit cf711368

Detects a cloned version of the Coinbase website from the past that uses the same `amplitude.js` API key as well as the same Google Site Verification keys, they used to use.

Instagram Phishing Kit Ag0sOJ

Detects a phishing kit targeting Instagram. Talks to "hizliresim.com" to fetch an image. Commonly deployed on Freenom domains.

ipapi

ipapi is a GeoIP service allowing you to get the country code and other information from an IP address. It's regularly used by phishing kits which want to hide themselves to analysts outside the country they're targeting. This is a very naive approach (often the entire phishing site is loaded but then immediately redirected away from), but is often enough to evade basic sandboxes.

KuCoin Phishing Kit 8fo0kgp3

Detects a KuCoin phishing kit deployed often on replit.com.

Shopify phishing kit YgjX6

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

Discord Nitro Phishing Kit 7a09ee6

Discord Nitro phishing kit containing a reused image asset.

Facebook intellectual property infringment phishing kit 6c79b

A Facebook phishing kit themed around intellectual property infringement Observed being distributed by emailtosalesforce@[...].salesforce.com email addresses

Facebook Copyright Phishing Kit XpkqU8

Detects a phishing kit targeting Facebook (Meta) by displaying a fake copyright infringement appeal form and tricking the user into giving away their credentials. This has over 600 hits on Urlscan. Threat actors observed in: - United States 🇺🇸 (BELLSOUTH-NET-BLK 6389; ASN-CXA-ALL-CCI-22773-RDC 22773; CDNEXT 212238)

IONOS Phishing Kit 45d7f514

This phishing kit targets `IONOS` customers. It uses a unique IMGUR URL to host the IONOS logo image file.

Royal Mail Phishing Kit cd74ee99

Detects a Royal Mail phishing kit claiming that there are "issues with your shipping address"

Amadey C2 Panel afb0c86a

Detects the `Amadey` botnet C2 panel page. Uses the fact that the assets are delimited using a backslash instead of the normal forward slash.

DPD Phishing Kit 1550321

Detects a DPD phishing kit using the same fake parcel ID to lure victims in, additionally reuses the same file names and paths for various kit assets.

Square Enix FFXIV Gil Phishing Kit

Detects a phishing kit targeting square-enix.com with a fake FFXIV forum gil giveaway. Phishing kit consists of two pages, a forum page and a login page.

Steam Phishing Kit de077e20

Detects a Steam phishing kit that uses a fake Steam login window to steal user credentials and Counter Strike 2 Beta Access as bait.

Steam Phishing Kit ee34fa99

A Steam phishing kit that uses a fake Steam login window to steal user credentials and 50/100$ gift cards as bait.

hardteam Crypto Drainer f42d93a4

Detects the crypto drainer named 'hardteam' that uses the domain `hardteam.site` to exfiltrate it's logs called from within the drainer script located in the file `drainer_v4.js`

Metamask Phishing Kit 604ec65

Metamask Phishing kit that uses WebFlow. Allowing us to flag it due to it having the same WebFlow site key for each phish.

Minecraft Phishing Kit 85f1cdf0

Detects a Minecraft phishing kit that's being spread through Discord

Remitly Phishing Kit 47bfa74f

trkrsrvrdb Crypto Drainer 14658cf1

Detects the crypto drainer named 'trkrsrvrdb' that uses the domain `trkrsrvrdb.com` to exfiltrate it's logs called from within the drainer script

Bookmark Grabber bf623f6

Detects a phishing page that leverages the Dyno discord bot as a lure to install a malicious browser bookmark to steal the victim's Discord token.

Okta ("0ktapus"/"Scatter Swine") phishing kit

Okta is a Single Sign-On (SSO) provider used by many enterprises and this phishing kit targets those enterprises. It aims to steal the victim's email address, SSO password, and MFA details. To decrease victim's suspicion this kit (like many) includes details specific to the targeted company e.g. their name and logo. However, unlike similar kits, this is hardcoded per instance of the phishing site and isn't dynamic based on the victim's email. ![Screenshot of one of these camouflaged Okta phishing kits (in this case, actually targeting Okta's own employees). [Via urlscan.io](https://urlscan.io/result/63fc7edd-116c-4128-a934-8ad6c9ad76e2/)](/static/63fc7edd-116c-4128-a934-8ad6c9ad76e2-BIDTSTDO.png) The same frontend code (HTML, CSS, and JS) is deployed regardless of the company being targeted, but the company name and logo is provided by the C2 server. ### Capabilities From analysing the code it appears this kit is set up to: * Steal email address and password * Capture MFA codes * Push the download of a (trojanized?) remote desktop tool `AnyDesk.exe` ### Timeline So far, the earliest observed appearance of this campaign was on July 1st ([urlscan.io](https://urlscan.io/result/4125359d-3fea-4161-b0a9-bed1e3c04e16)). This is a slightly earlier version of the phishing kit (referencing slightly different JS files) and was last seen on July 13th. The more recent version of the kit (using the JS filenames referenced in this rule) was first observed on [July 17th](https://urlscan.io/result/0c7aba52-edf4-4280-9bc5-783fb8c93d87/). ### Attack Infrastructure Unlike many less sophisticated kits, this isn't deployed on a PHP hosting provider but is instead deployed on virtual machines (usually provided by Digital Ocean or Vultr). * Frontend assets (HTML/JS/CSS) are loaded from the domain itself * The config (for example, which logo to display) is loaded from a separate, non-HTTPS endpoint hosted on port 8080 on the same server ```mermaid graph LR subgraph C2[Attack Infrastructure] Domain[Lookalike Domain] --> IP[Server IP] end Browser[Victim's Browser] -->|Load frontend: GET https://domain| Domain Browser -->|Fetch name and logo: GET http://ip:8080/api/app/settings| IP ``` Most infrastructure is unique to each attack but there's occasionally some crossover: * [45[.]63[.]39[.]151](https://urlscan.io/ip/45.63.39.151) has been seen targeting multiple companies. * [mailchimp-help[.]com](https://urlscan.io/domain/mailchimp-help.com) has been observed targeting multiple companies.

Webflow Website Creator

Detects websites made with the WebFlow website builder. WebFlow provides software as a service (SaaS) for website building as well as hosting.

BbyStealer Family Dropper Website 7019ae4

Detects a BbyStealer family dropper website. BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'. It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'. There are several other info-stealers that use the same C2 domain as BbyStealer currently they are: - Doenerium (JavaScript) - TargetPlay (Python)

Bancolombia Phishing Kit ZLbZ6V

Detects a phishing kit targeting Bancolombia. This was found as a result of this kit being deployed on Replit.

Discord Phishing Kit 664a17b

Discord phishing kit that uses a external application invite as a lure, as well as the real DiscordServer discord bot logo to make it seem legitmate. Once the user clicks the button labelled authorize it will open a pop-up window mimicking the Discord login page pretty poorly. This rule uses the fact that the same CSS file name is used across all domains that use this kit.

Microsoft Tech Support Kit 0589be7

A Microsoft Tech support kit containing an audio file used across many different domains. As well as a JS function that is used to get the phone number from the URL parameters.

Santander Phishing Kit 85b6cae

Detects a Santander phishing kit targeting Spanish speaking users.

Banco AV Villas Phishing Kit a5lnamb9

Detects a Banco AV Villas phishing kit deployed often on replit.com targeting Colombian citizens.

Banco Davivienda Phishing Kit 067fef0

Detects a Banco Davivienda phishing kit deployed often on replit.com.

Banco de Galicia Phishing Kit bd53a32

Detects a Banco de Galicia phishing kit deployed quite oftenly on `replit.com`.

Itaú Unibanco Phishing Kit s8hx648o

Detects a different Itaú Unibanco phishing kit. Discovered as a result of this being deployed on Replit.com.

Camouflaged Okta kit (old)

An older version of the Okta phishing kit [described here](https://phish.report/IOK/indicators/okta-5844ad4)

ThemeTags Template Service

Detects page templates made by ThemeTags. Services like this are commonly abused by phishing pages.

Facebook Phishing Kit e9da0f06

Detects a phishing page targeting Facebook users asking them to enter the credentials to verify they own the account in question.

Kimsuky Nginx Fake Error 9b43f670

Detects a fake nginx 404 error page that is mainly used by the Kimsuky APT from North Korea.

m3dular Phishing Kit ea8f67e

Detects a phishing kit developed by a threat actor under the alias of 'm3dular'.

Facebank Phishing Kit 0y8ysfop

Detects a Facebank phishing kit targeting citizens of Puerto Rico. Discovered as a result of this being deployed on Replit.com.

Facebook Appeal Form Phishing Kit 91f3caf

Detects a fake Facebook appeal form, that phishes for credentials, the kit was designed by an Arabic-speaking threat actor.

Bancolombia Phishing Kit 3kyj5nlh

Detects a different Bancolombia phishing kit deployed often on replit.com targeting Colombian citizens.

MysticStealer C2 Panel 88b6ef2f

Detects the `Mystic` stealer C2 panel page. As the page likes to broadcast the fact that it is a Mystic Stealer C2 page in the title.

Office 365 Phishing Kit l03TtM

Detects a phishing kit targeting Office 365 using a fake login form. It doesn't attempt to visually mimic the official login pages, allowing it to evade common detection engines.

Royal Mail Phishing Kit dccfe2d7

Detects a Royal Mail phishing kit claiming that "a parcel cost £ 0.9 Payment failed"

testcookie NGINX anti-bot

`testcookie-nginx-module` is a basic anti-bot mechanism using a JavaScript-based challenge to defeat simple analysis by sandboxes which don't evaluate JavaScript.

Banco Santa Fe Phishing Kit

Detects a phishing kit targeting Banco Santa Fe. This was found as a result of this kit being deployed on Replit.

Bancolombia Phishing Kit GM866x

Detects a phishing kit targeting Bancolombia with a simple centered login form. This was detected as a result of this kit being deployed on Replit.

Coinsbit Phishing Kit a4a01a8

Detects a Coinsbit phishing kit.

Meta Phishing Kit 506188c

Detects a phishing kit targeting Meta products, utilising the false copyright infrigment appeal scam.

SingleFile website cloner

SingleFile is a Chrome extension allowing you to save a complete webpage (HTML, CSS, JS, etc.) into a single file.

DHL Phishing Kit 27b89b9e

Detects a DHL phishing kit that uses KillBot to detect bots with a unique API key and a session hash that was left behind when cloning the original page.

Steam Phishing Kit JcQRrby

These are usually spread on Discord and are typically hidden under default Wordpress blogs.

generic-scam-3ei9ur8a

Generic scam in the form of a fake news page. Often hosted on pages.dev.

Netflix Phishing Kit n3s7h9g2

Phishing kit for Netflix credentials with assets hosted on ImgBB.

Exfiltration using submit-form

submit-form is a service that takes HTML form submissions and sends the results to an email address, online dashboard, or webhook, depending on the threat actor. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Suncoast Credit Union Phishing Kit 4c74e401

Detects a Suncoast Credit Union phishing kit that uses the same commented out JS and static VIcurrentDateTime value on all domains.

Webmail Phishing 27971b3a

Detects a phishing kit impersonating Webmail.

Bookmark Grabber d7eb986c

Detects a phishing page that uses the disguise of an intellectual property consent form of a crypto news site in order to lure users into installing a malicious bookmark that steals their Discord token.

OpenSea Phishing 389-9bec97c22fa2e411

Detects OpenSea wallet drainers - mystery box scam. Often hosted on Vercel (https://vercel.com/).

rusc Crypto Drainer f4180c6

Detects a crypto drainer that supports English & Russian in its logging messages. It also has its own configuration file called `import_main.js` and its main draining functionality in a file called `main.js`

ToastrJS Crypto Drainer 0d0f9db

Detects a crypto drainer.

Ark Investment Crypto Phishing Kit 3465f6c

Detects a crypto phishing kit using Ark Investment as proof of the giveaway being legitmate, this kit also uses people like Elon Musk to lure victims.

Fake crypto mining - noChromium

Detects a malicious DApp that force redirects when it detects the use of a Chromium based browser. Pretends to be a liquidity mining platform while presenting fake audit reports.

Exfiltration using getform.io

getform is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Instagram Appeal Phishing Kit 510EMm

Detects a phishing kit targeting Instagram by impersonating Instagram staff and tricking the user into filling out a fake appeal form.

Banco Atlántida Phishing Kit dxde4jyt

Detects a Banco Atlántida phishing kit deployed often on replit.com.

Banco del Pacífico Phishing Kit 1kzes5jt

Detects a Banco del Pacífico phishing kit deployed often on replit.com.

BBVA Phishing Kit k3dums5h

Detects a BBVA (Banco Bilbao Vizcaya Argentaria) phishing kit deployed often on replit.com.

Ethereum Wallet Drainer (Monkey Drainer)

Detects the "Monkey Drainer" phishing script kit

Generic Email ec34bc68

A generic email phishing kit loading CSS from an appspot project using a hard-coded access token.

Helopbs GitHub Phishing Kit 03d6d129

Phishing campaign using the lure of GitHub Jobs, targeting developers from the crypto sphere via phishing emails sent through the use of comments on GitHub issues and pull requests.

PostalFurious Phishing Kit f25f698b

This phishing kit has been observed to target various postal services & government-related websites such as tolls, as well as mobile phone companies like Vodafone. Based upon these observations through scanning URLScan filtered results, this kit appears to be operated by a Chinese-speaking phishing gang codenamed `PostalFurious` (coined by GROUP-IB).

Spox Chase Phishing Kit 8b20b051

Detects a phishing kit targeting users of Chase Bank. The phishing kit is called `Spox` after the name of the kit author.

123 Reg Phishing kit 63c26

123Reg phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Banco Cuscatlan Phishing Kit sDtLTM

Detects a phishing kit targeting Banco Cuscatlan, a bank and financial institution operating in Central America. Found as a result of this kit being deployed on Replit.

Banco de Galicia Phishing Kit vyk7k7oo

Detects a different Banco de Galicia phishing kit deployed often on `replit.com`. This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.

Microsoft Phishing Kit fyfcvk8e

Detects a Microsoft phishing kit with a hardcoded MFA phone number and misspelled words. The phishing kit calls sc.php to perform license validation prior to loading page content.

Metamask Phishing Kit 06f6d4f9

Metamask Phishing kit that uses tries to socially engineer the victim into supplying their secret recovery phrases or private key. This kit is made by an Arabic/Hindi speaking threat actor, as seen by the various words like 'tsawer' and 'gadha' being used in the HTML & JS.

Generic Latin America Bank Phishing Kit c419e0d

Detects a phishing kit targeting banks for Latin America, these kits are often deployed on `replit.com`. It uses `api.ipify.org` to fetch the victim's IP. Harvested credentials are delivered into the scammer's Telegram channel through the use of the `sax.js` script file.

Nuevo Banco del Chaco Phishing Kit ri0z68ca

Detects a Nuevo Banco del Chaco phishing kit using a form action URL and a CSRF token that only appears in this kit. Deployed often on replit.com.

SAISON Card Phishing Kit b85570be

Detects a SAISON Card phishing kit targeting Japanese users.

Santander Phishing Kit d639dea

Detects a Santander phishing kit developed by the threat actor known as 'Kr3pto'

Bancolombia Phishing Kit 68a8d3f

Detects a Bancolombia phishing kit targeting Spanish speaking users. Commonly deployed on `replit.com`.

Banco de Galicia Phishing Kit 2mO4SF

Detects a phishing kit targeting Banco de Galicia. The threat actor operates from Argentina itself.

Facebook Account Recovery Phishing Kit 0e420f8

Detects a Facebook phishing kit, telling the victim to enter their details to reactivate their account.

Fake crypto mining - DeFi_Mining

Detects a malicious DApp that pretends to be a mining platform.

Fake crypto mining - MiningPool

Detects a malicious DApp that pretends to be a cloud mining platform.

HTTrack Website Copier

HTTrack is an open source tool to save a website and all its dependencies to disk. It's used by phishers to quickly clone a target website to get a pixel-perfect clone they can adapt into a phishing kit. It's particularly liked by phishers because it tries to ensure that *all* resources are saved offline, and none are left being loaded from the original server.

Instragram Copyright Phishing Kit kVRJSB

Detects a phishing kit targeting Instagram (Meta) by tricking users into filling out a fake copyright appeal form. Threat actors observed in: - Turkey 🇹🇷 (TT_MOBIL 20978; TTNET 9121; TURKCELL-AS 16135; VODAFONETURKEY 15897) - France 🇫🇷 (SECFIREWALLAS 206092)

M&T Bank Phishing Kit 6b1866b8

Detects a phishing kit targeting users of M&T Bank. The core processing of the phishing kit is hidden within the file named `min2.js`. The kit also has a high entropy session ID present within the HTML, likely as a result of cloning the website.

Microsoft Phishing Kit b3fcc7b

Detects a Microsoft phishing kit targeting Spanish speaking users.

Asli Crypto Drainer ea8f67e

Detects a family of crypto drainers that utilises a similarly structured landing page.

Banco de Galicia Phishing Kit npy0f6km

Detects a different Banco de Galicia phishing kit deployed often on replit.com.

Outlook Phishing Kit hCO41m

Detects a phishing kit pretending to be Outlook and attempting to capture the user's credentials. Found as a result of this kit being deployed on Replit.

Telekom Deutschland Phishing Kit 34f36ea7

Detects a `Telekom Deutschland` phishing kit. This kit forgot to remove the high entropy strings generated by the original website used for anti-CSRF purposes.

Unibank Phishing Kit NJdEmH

Detects a phishing kit targeting Unibank. Unibank is one of the largest private banks established in Azerbaijan. Threat actors working with this phishing kit appear to be coming from Ukraine (EVEREST AS49223).

Cryptocurrency Giveaway wjUTKJ

Detects a fake cryptocurrency giveaway impersonating Elon Musk and promising to send back dobule (BTC, ETH, DOGE) that you send to the attacker's wallet. Distributed through Twitter phishing accounts.

Exfiltration using formspree.io

Formspree is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

BbyStealer Dropper Website aeed70a

Detects a BbyStealer dropper website. BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'. It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'.

Davivienda Phishing Kit 2j5dxddh

Detects a Davivienda phishing kit deployed often on replit.com targeting Colombian citizens.

Facebook Phishing Kit f675021b

Detects a Facebook phishing kit targeting Polish users.

ImBetter C2 Panel 1f52021a

Detects the `ImBetter` stealer C2 panel page. Using the SVG data we can confidentially detect the SVG element that is used for the login page logo.

S-Pankki Phishing Kit d612de8e

S-Pankki phishing kit which uses the same hidden value across various domains.

An Post Phishing Kit 7b94e511

Detects an An Post phishing kit that uses the same fake tracking ID across multiple domains.

Bancolombia Phishing Kit jr5mnv

Detects a phishing kit targeting Bancolombia. This was found as a result of this kit being deployed on Replit.

Base64 & URL-encoded document body

To evade static analysis, the document body can be wrapped in several JavaScript functions such as `decodeURIComponent` and `atob` in order to evade analysis. This helps defeat simple scanners which don't evaluate JavaScript.

Microsoft Tech Support Kit d94c3cf

Detects a Microsoft tech support kit targeting Japanese speaking users. Using the same name for the warning audio file as well as the same class `name` attribute for the banner elements.

Steam Phishing Kit jIwQMP

Detects a phishing kit impersonating Discord and targeting Steam users with a fake popup that opens when the "Get Nitro" button is clicked. The site promises to give you a free Discord Nitro subscription upon entering your Steam credentials. This phishing kit has been discovered by the FishFish.gg team.

Chenlun Phishing Kit 88426540

Detect phishing sites that contain two distinctive files named ResourceRedConfig.js and urlConfig.json. These files are indicative of a phishing kit developed by a Chinese threat actor named Chenlun.

Fake crypto mining - ReceiveVoucher2

Detects a malicious DApp that requires a mobile browser UA and offers fake liquidity mining while presenting fake audit reports.

Solana cryptocurrency wallet drainer - tokenup

Detects a Solana cryptocurrency wallet drainer that fakes the number of minted NFTs to initiate Fear of Missing Out (FOMO) against the victim.

Adobe Phishing Kit 5c70696

Adobe phishing kit which uses the same `template` element `id` attribute as well as having the same value inside the `noscript` tags.

Banco de la Nación Phishing Kit 0blz45du

Detects a Banco de la Nación phishing kit using a form action URL and a button ID that only appear in this kit. Deployed often on `replit.com`.

Banco Falabella Phishing Kit 5fed617

Detects a phishing kit targeting Banco Falabella (Colombia) users Deployed often on `replit.com`.

Facebook Phishing Kit 2b493308

Detects a Facebook phishing kit that uses a unique URL to host the banner image used in the fake login form.

International Card Services Phishing Kit

Detects a phishing kit for a creditcard processor which uses the same hidden value across various domains.

Wise Phishing Kit d777126

Wise phishing kit which uses the same sentry.io API key across various domains.

Tuya Redirect 4eWQNc

Detects a phishing landing page for the Colombian bank and credit card issuer Tuya. This was found as a result of this kit being deployed on Replit.

Apple iCloud Phishing Kit 467ab986

An Apple iCloud Phishing Kit appearing in English and Spanish. This looks for file name references of a stylesheet, title styling and a loader image.

Fake crypto mining - inviteRequired

Detects a malicious DApp that requires injected Web3 and invitation code to gain access to the fake mining offer.

Steam Phishing Kit tu2yq4ic

Steam Phishing Kit that uses a fake Steam login window to steal user credentials.

UPS Phishing Kit 69b689e

Detects a UPS phishing kit using a fake parcel ID to lure victims in, additionally has a high entropy string that does not change assigned as the `data-upstoken` attribute of a HTML element within the page, possibly left behind when the original UPS page was cloned.

Amazon Token Cryptocurrency Scam SHFXgk

Detects a cyptocurrency phishing kit targeting Amazon. It claims to offer an Amazon (AMZ) token pre-sale and leads to an exchange where you can swap cryptocurrencies for this fake token. This was found as a result of this kit being deployed on Replit.

Banco del Pacífico Phishing Kit bl54hwhz

Detects a different Banco del Pacífico phishing kit deployed often on replit.com.

Banco Pichincha Phishing Kit niUG0Z

Detects a phishing kit targeting Banco Pichincha. Banco Pichincha is the largest private-sector bank in Ecuador. This was detected as a result of this kit being deployed on Replit.

Bancor Phishing Kit 5bb0b5u3

Detects a Bancor phishing kit deployed often on replit.com.

BBVA Phishing Kit aeng1e8e

Detects a BBVA (Banco Bilbao Vizcaya Argentaria) phishing kit deployed often on replit.com.

Exfiltration using formpost.app

formpost.app is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Fake Not Found page

A common way for phishing sites to avoid detection is by presenting a fake 404 error page when requested using the "wrong" User Agent (or from the wrong GeoIP location). These fake error pages exactly mimic the HTML of an Apache 404 page, but unless the threat actor has configured their site to hide it, there's two giveaways it's fake: - It sends an `X-Powered-By: PHP` header - It sets a `PHPSESSID` cookie These are both clear evidence that the 404 page has been generated by PHP and not by Apache.

Steam Phishing Kit 732d40f3

Detects Steam phishing pages that obtain their template configuration from `/api/getsiteconfig`

finesse Crypto Drainer 9c933ae7

Detects a crypto drainer that usually appears on websites that impersonate the Discord Bots `MEE6` and `Dyno`.

Instagram Phishing Kit TPEXkd

Detects a phishing kit targeting Instagram. Commonly deployed on Freenom domains.

Navy Federal Credit Union Phishing Kit 7fh9xqpk

Navy Federal Credit Union phishing kit cloned with Save Page WE. The kit uses the obfuscated function `_f0` to send credentials to a telegram chat. Save Page WE is a chrome extension used by phishers to clone a target website and save it as a single HTML file

Shopify phishing kit c546c6a9

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

Facebook Phishing Kit 07c20f69

Detects a Facebook phishing kit that uses unique filenames for image assets of the fake login page.

Facebook Phishing Kit 54b8f7e Landing Page

Detects the landing page of this specific phishing kit.

HSBC Phishing Kit ea738a3

HSBC phishing kit which uses the same fake login detected HTML element across various domains.

Hyphisher Phishing Kit e393965e

`Hyphisher` is a phishing kit that focuses on targeting Hypixel & LunarClient users using various lures such as free ranks, cosmetics or modifications. It works by socially engineering victims into thinking they have been gifted an item from the attacker/compromised account, it then asks the victim to enter their username and email, upon doing this the backend will send the victim an email asking to verify the gift by entering their authentication code into the website. This specific kit dubbed `Hyphisher` is developed by a threat actor named `GuteNacht` and has since been modified and forked by other threat actors within the threat landscape.

Microsoft Outlook Phishing Kit 9e75296

Detects a Microsoft Outlook phishing kit targeting Spanish speaking users.

Microsoft Phishing Kit rxkr4n3b

Detects a poorly designed and simple Microsoft phishing kit. Discovered as a result of this being deployed on Replit.com.

Santander Phishing Kit 951d27d

Detects a Santander phishing kit targeting Spanish speaking users.

WebScrapBook website cloner

WebScrapBook is a chrome extension used by phishers to clone target websites. Github: https://github.com/danny0838/webscrapbook

Bookmark Grabber f6a19cec

Detects a phishing page that uses the disguise of a Wick Bot verification in order to install a malicious bookmark that steals the victim's discord token.

Cazanova Phishing Kit

Cazanova is the alias of a prolific phishing kit creator. Lucky for us, they like to sign their work by using `cazanova` for their cookie name rather than the default `PHPSESSID`, which makes it simple to identify their work.

Fake Chrome error page

The Chrome error page HTML is built into the browser: you should never see it in the response from a website. This is a clear sign that the site is employing cloaking/anti-analysis techniques.

Gomorrah C2 Panel 9bead31e

Detects the `Gomorrah` stealer C2 panel page. For some reason this stealer decides to explicitly state that the page is for the Gomorrah stealer panel

Hex-encoded document body

To evade static analysis, the document body can returned hex encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Microsoft Phishing Kit Landing Page 4NCTpU

Detects the landing page of a Spanish-speaking phishing kit targeting Microsoft with two stages. The first stage is a landing page with a "Start the corresponding verification process" message, on the second stage the user is asked to enter their credentials. The stages switch using a redirect through an anchor. The detection of this tiny HTML page is based on the fact that the attacker thought it's a good idea to use special characters for their asset URLs. Found as a result of this kit being deployed on Replit.

rot13 encoded body

To evade static analysis, the document body can returned with each character rotated by some fixed amount in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Banco Santa Fe Phishing Kit 9d6d57a2

Banco Santa Fe phishing kit which uses the same CSS and JS files.

Roblox Phishing Kit 8l0pamh6

Detects Roblox phishing sites using a Roblox specific strings within the DOM. Usually at /controlPage/create you can create a "Beaming link" These are often spread through Discord to victims.

Save Page WE website saver

Save Page WE is a chrome extension used by phishers to clone a target website and save it as a single HTML file. Unlike HTTrack (another commonly used tool): * It's a browser extension so doesn't require any additional tools to be installed. * It saves pages as a single HTML file (with all assets embedded in it) which makes the resulting kit more portable and easier to deploy.

Steam Phishing Kit 4540135

Steam phishing kit containing an image (sha256: `8c89c4f3023d02b04197a30ca20f42ca7eb2634e1432ffff7b9d641a1f71a066`) that only appears in phishing pages. It uses Discord Nitro as a lure to make the victim willingly give away their login credentials.

"Validate your account" countdown timer

This phishing kit (reported on by Cofense in 2022, but first seen on urlscan.io in 2018) has a live countdown until a user's email is supposedly "deleted from our server".

Fake crypto trading - warmReminder

Detects a malicious DApp that requires injected Web3 to gain access to the fake trading and mining offers.

Microsoft Phishing Kit 544eva7

Detects a Microsoft phishing kit targeting Spanish speaking users.

BBVA Phishing Kit dd072db

Detects a Banco Bilbao Vizcaya Argentaria (BBVA) phishing kit targeting Argentinian users.

Discord oAuth2 Scam u8eviyps

Detects a Discord oAuth2 scam confirmation page, which is often used in combination with social engineering to get the user to authorize for a spam application. This for example enables the attacker to add the victims into further scam/advertised servers using the `guilds.join` scope.

Facebook Phishing Kit 54b8f7e

Detects a Facebook phishing kit.

Interfisa Banco Phishing Kit rw6N5v

Detects a phishing kit targeting Interfisa Banco. This was found as a result of a user deploying this phishing kit on Replit.

Visa Phishing Kit dff000d

Detects a Visa phishing kit, that makes it seem as if the victim is purchasing something from Aramex, likely targets citizens of the UAE.

Commbank Phishing Kit d69bdec1

Commbank phishing kit displaying a fake login

Dubai Islamic Bank Phishing Kit e6f3d238

Dubai Islamic Bank Phishing Kit that uses a fake login page

Coinbase Phishing Kit 5d238ea1

A Coinbase Phishing Kit that has a hCaptcha verification screen to avoid analysis. This looks for the site key that is common across multiple examples.

crew3 Crypto Drainer 0827f6e1

Detects the crypto drainer created by a Chinese threat actor that is hidden within the file named `main.69e3e80e.js` commonly hosted on a subdomain with the apex domain being either `server-crew3.xyz` or `web3-crew3.xyz`

Data-Content attribute obfuscation

Detects an obfuscation technique found being used by a phishing kit where it appends the content of the parent tag into the `data-content` attribute with the data being encoded using ASCII values to evade static analysis.

Fake crypto trading - yuebaoIndex

Detects a malicious DApp that pretends to be a trading platform that offers AI bots, lending, and mining.

Ficohsa Phishing Kit 39e336ff

Detects a phishing page that targets Honduran users of Ficohsa Bank. This kit uses an old snapshot of the original website's stylesheet.

Microsoft Phishing Kit EwNaWJpB

Detects a Microsoft phishing kit in Spanish, targeting the citizens of Argentina.

Shopify phishing kit 89NDeg

Shopify phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Class attribute obfuscation

Detects an obfuscation technique found being used by a TrustWallet phishing kit where it appends several repeating groups of characters to the class attribute of all HTML elements in the page.

Generic Crypto Phishing Kit 0694191

Generic Crypto Scam phishing kit that includes a reference to the owner of the website via a HTML link tag

Shopify phishing kit NCv2F

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

Coinbase Phishing Kit 69638f20

A Coinbase Phishing Kit asking the user to enter their 12-word seed phrase. This kit seems to be exclusively deployed on Glitch.

Facebook Phishing Kit 9z3vzzzj2s

A Facebook phishing kit displaying a faked post

Fake crypto giveaway coin selection b791myo4

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. Sometimes the scammer will pick a specific cryptocurrency to target, but in this case they decided to add a menu where the user can select a specific coin.

Luno crypto exchange phishing kit beb8d53

Luno crypto exchange phishing kit that has a high entropy string set as the `origin-trial` value

Rhadamanthys C2 Panel 26461dbb

Detects the `Rhadamanthys` stealer C2 panel page. For some reason this stealer decides to explicitly state that the page is for the Rhadamanthys stealer panel

Scotiabank Phishing Kit 76fc8cb

Detects a Bank of Nova Scotia (Scotiabank) phishing kit targeting Spanish speaking users. Commonly deployed on `replit.com`.

SMBC Phishing Kit acab82b5

Detects a SMBC phishing kit targeting Japanese users.

VyStar Credit Union Phishing Kit 084ea74

Detects a phishing kit targeting customers, of the VyStar Credit Union.

Bancolombia Phishing Kit nFimdX

Detects a phishing kit targeting Bancolombia. This was found as a result of this kit being deployed on Replit. This kit has a different message than others. (Enter your current data to cancel the blocking of your Dynamic Key)

Bank of America Phishing Kit a53b161

Detects a Bank of America phishing kit.

Coinbase Phishing zG3nVT0g

Detects Coinbase recovery phrase scam websites. Often hosted on Glitch (https://glitch.com/).

Exfiltration using FormSubmit.co

FormSubmit is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Steam Phishing Kit 8c89c4f

Steam phishing kit containing an image URL that only appears in phishing pages, additionally uses Discord Nitro as a lure.

Fake crypto mining - arbitrageProducts

Detects a malicious DApp that pretends to be a cloud mining operator and an AI arbitrage trading platform.

Generic Netflix Phishing Kit AhYsqq

Detects generic phishing kits targeting Netflix that copy common assets and leave breadcrumbs.

MUFG Phishing Kit 483cbea7

Detects a phishing page that targets Japanese users of MUFG (Mitsubishi UFJ Financial Group) Bank This original page seems to have been cloned leaving a trace of the cloner's useragent in the hidden input elements of the website's login form

Patelco Phishing Kit 48ba653f

Patelco phishing kit which uses the same stylesheet and form error id across various domains.

FauxMoralis Crypto Drainer 6a3cac21

Sites that contact this domain are websites that will drain a user's crypto wallet using a piece of javascript code known as a 'crypto drainer'. Due to this domain imitating the real Moralis API it has been named FauxMoralis to reflect this.

Generic Crypto Scam dd1f3101

Detects a generic crypto scam that generally leverages on using popular people such as Elon Musk and companies such as OpenAI to lure victims into sending the target wallet address crypto (like BTC, ETH, XRP or DOGE).

Mobirise Website Builder

Detects signatures left behind by the Mobirise Website Builder.

USPS Phishing Kit 9514901

Detects a USPS phishing kit that uses the same fake tracking ID & same stylesheet on every phish.

Banco de la República (eBROU) Phishing Kit g5d6u78z

Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit. Deployed often on `replit.com`.

DHL Phishing Kit f8e6d46

Detects a DHL phishing kit that has several indicators that are exclusive to the kit itself, such as the endpoint where the credentials are exfiltrated to, and the name of credit card validation function.

Mark of the Web

The "Mark of the Web" is an Internet Explorer compatibility feature inserted into HTML by browsers when using their "Save webpage" feature. The comment includes the original URL that the HTML was cloned from.

Bank of Nova Scotia (Scotiabank) Phishing Kit TYnAqzTX

Detects a phishing kit for the Bank of Nova Scotia (Scotiabank) targeting Spanish speaking users. Deployed often on replit.com.

Facebook Phishing Kit 9dda3b8f

A Facebook phishing kit displaying a login form

Vitalik Buterin fake crypto giveaway cbn4xt8m

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

MyGovAU Phishing Kit d0a5f9fd

Detects a phishing kit using the MyGov Australia branding.

1Password Phishing Kit 191635

1Password phishing kit cloned from the legitimate `1password.com` login page using Save Page WE. The first detection was on August 16th although evidence in the kit (the Save Page WE `savepage-date` timestamp) suggests it was created August 11th. Like many similar phishing kit, credentials are posted to `send.php` and then the victim is redirected to the `1password.com` login form.

Facebook Phishing Kit 83d65db

Detects a Facebook phishing kit created by an Indonesian threat actor, that uses the disguise of a victim's account being restricted and requires them to login again.

Fake crypto mining - ReceiveVoucher

Detects a malicious DApp that pretends to be a cloud mining platform while presenting fake audit reports.

Massachusetts UI Online Application 5hGwWB

Detects a phishing kit impersonating the Massachusetts Unemployment Insurance (UI) Online Application available at uionline.detma.org in an attempt to steal sensitive personal information from the victims. This was found as a result of this kit being deployed on Replit.

BazhanWang Website Copier

Detects the BazhanWang website copier.

Facebook Phishing Kit 7c475854

This kit imitates the Facebook help center page and asks the user to enter their page name, email address, phone number & full name in order to 'unblock' their removed facebook page. After filling out the form the user is prompted with a dialog box where they must enter their Facebook password for their 'security'.

Elon Musk fake crypto giveaway xfve5qjx

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

Fake crypto mining - ReceiveVoucher3

Detects a malicious DApp that pretends to be a liquidity mining platform while presenting fake audit reports. Older version of the fake-crypto-mining-noChrome rule.

SMU Crypto Drainer d9da4dc1

Detects a crypto drainer that hides commonly within the file named `utils.js` and has a seperate `showMess.js` file with functions used to send window alerts.

Santander Phishing Kit 5d1468e

Detects a Santander phishing kit targeting Polish victims, this kit uses the website cloner browser extension known as [WebScrapBook](https://chrome.google.com/webstore/detail/webscrapbook/oegnpmiddfljlloiklpkeelagaeejfai?hl=en) in order to clone the original page. Github: https://github.com/danny0838/webscrapbook

Facebook Phishing Kit 7d71c1c

Detects a Facebook phishing kit targeting Polish speaking users. Using the same Google Tag ID across every domain deploying this kit and using the same name for the logo file.

Hypixel Phishing Kit b03e14c

Detects a Hypixel phishing kit being pushed in-game as well as across Discord.

Amerant Bank Phishing Kit 4TfEvG

Detects a phishing kit targeting Amerant Bank. This was found as a result of this kit being deployed on Replit.

Avis Phishing Kit 0fbd3ca

Detects an Avis phishing kit targeting Turkish users.

Banco de Crédito del Perú (BCP) Phishing Kit XEjFkd

Detects a phishing kit targeting Banco de Crédito del Perú (BCP). BCP is the largest bank in Peru. This was found as a result of this kit being deployed on Replit.

Microsoft Outlook Phishing Kit 142e470f

Detects a phishing kit targeting Microsoft Outlook. Users are being tricked into entering their Microsoft credentials into a fake form. This kit targets Spanish speaking users. Found as a result of this kit being deployed on Replit.

Royal Mail Phishing Kit GbyBld

Detects a Royal Mail phishing kit claiming that "We've received a parcel for you with insufficient fees on the account"

Base64-encoded document body

To evade static analysis, the document body can returned base64 encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Discord Phishing Kit ee3f9f72

Detects a `Discord` phishing kit targeting Discord users. This kit proxies all requests made by the original Discord website to the domain the kit is running on.

NordPass Phishing Kit 79fa7dc3

NordPass Phishing Kit that uses a fake login page to steal user credentials.

Exfiltration using ActionForms

ActionForms is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Lokibot C2 Panel b5463607

Detects the `Lokibot` stealer C2 panel page. Uses a combination of various unique characteristics of the page design to detect it.

Credicorp Bank Phishing Kit Du47YO

Detects a different phishing kit targeting Credicorp Bank. This was found as a result of this kit being deployed on Replit.

Etherscan Crypto Phishing Kit 253344b

Detects a phishing kit targeting users of Etherscan.

Facebook Phishing Kit d47226ee

Facebook (Meta for Business) phishing kit that communicates with a master server/API in order to exfiltrate credentials entered. This kit has several anti analysis capabilities, such as being able to redirect to a non-existent domain if the organization owning the IP address of the viewer is part of a pre-defined list, which is defined in the javascript code.

Exfiltration using NoCodeForm

NoCodeForm is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

reCAPTCHA

To make it harder to analysts to get a good capture of a phishing site, some are using Google's reCAPTCHA service.

UOL Mail Phishing Kit 6xm0cU

Detects a phishing kit targeting UOL Mail. UOL is a Brazilian content, digital services and technology company.

Fake crypto mining - ReceiveVoucher4

Detects a malicious DApp that pretends to be a liquidity mining platform while presenting fake audit reports and partners. AJAX call to receive other contents.

SMBC Phishing Kit 10ddf87

Detects a SMBC phishing kit targeting Japanese users.

Twitter Phishing Kit 91a19aa

Detects a phishing kit developed by a Turkish actor targeting users of Twitter.

Bank of America Phishing Kit kgzRkD

Detects a phishing kit targeting Bank of America. This kit is already detected by Urlscan. Found as a result of it being deployed on Replit.

Ethereum cryptocurrency wallet drainer - Iil1ililIl1iIl1ill1Ilii

Detects an Ethereum cryptocurrency wallet drainer that has a constant variable named Iil1ililIl1iIl1ill1Ilii.

ETC Phishing Kit e623c655

Detects an ETC phishing kit targeting Japanese users. (etc-meisai.jp)

Exodus Wallet Phishing Kit

Detects a Exodus Wallet cryptocurrency wallet drainer that includes a function to validate the BIP39 recovery phrase entered.

Facebook Phishing Kit 887906f

Detects a Facebook phishing kit targeting Vietnamese users. Using sexual lures such as 'Vietnamese Sexy Beauty Group'

Credicorp Bank Phishing Kit tGeBlg

Detects a phishing kit targeting Credicorp Bank. This was found as a result of this kit being deployed on Replit.

Shopify phishing kit f7ejw

Shopify phishing kit containing a high-entropy CSRF token (and a CSP nonce!) which should be a high quality indicator.

Credicard Phishing Kit 7246c9c

Detects a Credicard phishing kit created by an Portuguese threat actor.

Discord Hypesquad Phishing Kit 9e6c4a9

Discord Hypesquad phishing kit containing a comment left behind by the supposed developer of the kit. As well as a unique nonce value that is present.

SettingsJS Crypto Drainer d810a56

Detects a crypto drainer that has its own configuration file called settings.js.

Amazon Phishing Kit 28bd59a

Detects an Amazon phishing kit targeting Japanese users. This kit is dynamically generated by Javascript.

ANZ Bank Phishing Kit cd6ec9e7

This kit seems to define a few configuration values within the page's javascript, possibly to communicate with the backend which user of the phishing service owns the phishing page.

Generic Crypto Phishing Kit f634ac3

Generic Crypto Scam phishing kit using the same Smart Support Chat API key on different domains.

Instagram Copyright Phishing Kit YZvbOv

Detects a phishing kit targeting Instagram by impersonating Instagram staff and tricking the user into filling out a fake copyright appeal form.

Microsoft Phishing Kit be5a6fa

Detects a Microsoft phishing kit targeting Spanish speaking users.

facebook-pl-5b1aed4d

A phishing kit using fake and alarming news articles to trick users into giving away their Facebook login credentials.

Banco Promerica Phishing Kit ef73ish1

Detects a Banco Promerica phishing kit with images and form action URL that only appear in this kit. Deployed often on `replit.com`.

Daviplata Phishing Kit jwL1yd

Detects a phishing kit targeting Daviplata - a digital platform for making electronic transactions and payments using a mobile phone. Owned by Davivienda, a financial services company based in Colombia. This was found as a result of this kit being deployed on Replit.

Discord Phishing Kit 4EK3uS

Detects a phishing kit targeting Discord and Steam by promising a Free Discord Nitro subscription.

Paypal Phishing Kit 6c455a6

Detects a Paypal phishing kit.

SMBC Phishing Kit 9776441

Detects a SMBC phishing kit targeting Japanese users.

Exfiltration using Form2Chat

Form2Chat is a service that takes HTML form submissions and sends the results to an email address or instant messenger service. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.