IOK Rules

Base64-encoded document body

To evade static analysis, the document body can returned base64 encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Facebook Phishing Kit 7d71c1c

Detects a Facebook phishing kit targeting Polish speaking users. Using the same login form structure across all domains as well as using the same name for the logo file.

Fake Chrome error page

The Chrome error page HTML is built into the browser: you should never see it in the response from a website. This is a clear sign that the site is employing cloaking/anti-analysis techniques.

Camouflaged Okta phishing kit

Okta is a Single Sign-On (SSO) provider used by many enterprises and this phishing kit targets those enterprises. It aims to steal the victim's email address, SSO password, and MFA details. To decrease victim's suspicion this kit (like many) includes details specific to the targeted company e.g. their name and logo. However, unlike similar kits, this is hardcoded per instance of the phishing site and isn't dynamic based on the victim's email. ![Screenshot of one of these camouflaged Okta phishing kits (in this case, actually targeting Okta's own employees). [Via urlscan.io](https://urlscan.io/result/63fc7edd-116c-4128-a934-8ad6c9ad76e2/)](/static/63fc7edd-116c-4128-a934-8ad6c9ad76e2-BIDTSTDO.png) The same frontend code (HTML, CSS, and JS) is deployed regardless of the company being targeted, but the company name and logo is provided by the C2 server. ### Capabilities From analysing the code it appears this kit is set up to: * Steal email address and password * Capture MFA codes * Push the download of a (trojanized?) remote desktop tool `AnyDesk.exe` ### Timeline So far, the earliest observed appearance of this campaign was on July 1st ([urlscan.io](https://urlscan.io/result/4125359d-3fea-4161-b0a9-bed1e3c04e16)). This is a slightly earlier version of the phishing kit (referencing slightly different JS files) and was last seen on July 13th. The more recent version of the kit (using the JS filenames referenced in this rule) was first observed on [July 17th](https://urlscan.io/result/0c7aba52-edf4-4280-9bc5-783fb8c93d87/). ### Attack Infrastructure Unlike many less sophisticated kits, this isn't deployed on a PHP hosting provider but is instead deployed on virtual machines (usually provided by Digital Ocean or Vultr). * Frontend assets (HTML/JS/CSS) are loaded from the domain itself * The config (for example, which logo to display) is loaded from a separate, non-HTTPS endpoint hosted on port 8080 on the same server ```mermaid graph LR subgraph C2[Attack Infrastructure] Domain[Lookalike Domain] --> IP[Server IP] end Browser[Victim's Browser] -->|Load frontend: GET https://domain| Domain Browser -->|Fetch name and logo: GET http://ip:8080/api/app/settings| IP ``` Most infrastructure is unique to each attack but there's occasionally some crossover: * [45[.]63[.]39[.]151](https://urlscan.io/ip/45.63.39.151) has been seen targeting multiple companies. * [mailchimp-help[.]com](https://urlscan.io/domain/mailchimp-help.com) has been observed targeting multiple companies.

Discord phishing kit 4540135

Discord phishing kit containing an image (sha256: `8c89c4f3023d02b04197a30ca20f42ca7eb2634e1432ffff7b9d641a1f71a066`) that only appears in phishing pages.

Discord Nitro phishing kit 7a09ee6

Discord Nitro phishing kit containing a reused image asset.

Fake Not Found page

A common way for phishing sites to avoid detection is by presenting a fake 404 error page when requested using the "wrong" User Agent (or from the wrong GeoIP location). These fake error pages exactly mimic the HTML of an Apache 404 page, but unless the threat actor has configured their site to hide it, there's two giveaways it's fake: - It sends an `X-Powered-By: PHP` header - It sets a `PHPSESSID` cookie These are both clear evidence that the 404 page has been generated by PHP and not by Apache.

reCAPTCHA

To make it harder to analysts to get a good capture of a phishing site, some are using Google's reCAPTCHA service.

Shopify phishing kit f7ejw

Shopify phishing kit containing a high-entropy CSRF token (and a CSP nonce!) which should be a high quality indicator.

Steam Phishing Kit 4f8189ec

Steam Phishing Kit that uses a fake Steam login window to steal user credentials.

testcookie NGINX anti-bot

`testcookie-nginx-module` is a basic anti-bot mechanism using a JavaScript-based challenge to defeat simple analysis by sandboxes which don't evaluate JavaScript.

Banco Galicia Phishing Kit bd53a32

Detects a Banco Galicia phishing kit deployed quite oftenly on replit.com

Base64 & URL-encoded document body

To evade static analysis, the document body can be wrapped in several JavaScript functions such as `decodeURIComponent` and `atob` in order to evade analysis. This helps defeat simple scanners which don't evaluate JavaScript.

Coinbase clone generic

Detects a cloned version of the Coinbase website from the past that uses the same `amplitude.js` API key as well as the same Google Site Verification keys, they used to use.

Discord Hypesquad phishing kit strolly

Discord Hypesquad phishing kit containing a comment left behind by the supposed developer of the kit. As well as generic images used across different versions of the kit.

Facebook phishing kit displaying a login form

A Facebook phishing kit displaying a login form

Facebook phishing kit with peculiar opengraph tags

A Facebook phishing kit which includes some peculiar OpenGraph tags originally from https://www.jpl.nasa.gov/news/testing-proves-its-worth-with-successful-mars-parachute-deployment

HTTrack Website Copier

HTTrack is an open source tool to save a website and all its dependencies to disk. It's used by phishers to quickly clone a target website to get a pixel-perfect clone they can adapt into a phishing kit. It's particularly liked by phishers because it tries to ensure that *all* resources are saved offline, and none are left being loaded from the original server.

Amazon Phishing Kit 28bd59a

Detects an Amazon phishing kit targeting Japanese users. This kit is dynamically generated by Javascript.

DPD Phishing Kit 1550321

Detects a DPD phishing kit using the same fake parcel ID to lure victims in, additionally reuses the same file names and paths for various kit assets.

rot13 encoded body

To evade static analysis, the document body can returned with each character rotated by some fixed amount in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Shopify phishing kit 45ca55e3

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

Shopify phishing kit NCv2F

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

123 Reg phishing kit 63c26

123 Reg phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Nuevo Banco del Chaco Phishing Kit ri0z68ca

Detects a Nuevo Banco del Chaco phishing kit using a form action URL and a CSRF token that only appears in this kit. Deployed often on replit.com.

Wise Phishing Kit d777126

Wise phishing kit which uses the same sentry.io API key across various domains.

An Post Phishing Kit 7b94e511

Detects an An Post phishing kit that uses the same fake tracking ID across multiple domains.

DHL Phishing Kit f8e6d46

Detects a DHL phishing kit that has several indicators that are exclusive to the kit itself, such as the endpoint where the credentials are exfiltrated to, and the name of credit card validation function.

Exfiltration using formpost.app

formpost.app is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Hex-encoded document body

To evade static analysis, the document body can returned hex encoded in the response where JavaScript can decode it and append it to the DOM. This helps defeat simple scanners which don't evaluate JavaScript.

Luno crypto exchange phishing kit beb8d53

Luno crypto exchange phishing kit that has a high entropy string set as the `origin-trial` value

USPS Phishing Kit 9514901

Detects a USPS phishing kit that uses the same fake tracking ID & same stylesheet on every phish.

Exfiltration using FormSubmit.co

FormSubmit is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Generic crypto scam f634ac3

Generic Crypto Scam phishing kit using the same Smart Support Chat API key on different domains.

Microsoft Tech Support Kit d94c3cf

Detects a Microsoft tech support kit targeting Japanese speaking users. Using the same name for the warning audio file as well as the same class `name` attribute for the banner elements.

Camouflaged Okta kit (old)

An older version of the Okta phishing kit [described here](https://phish.report/IOK/indicators/okta-5844ad4)

Shopify phishing kit 89NDeg

Shopify phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Exfiltration using ActionForms

ActionForms is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Metamask Phishing Kit 604ec65

Metamask Phishing kit that uses WebFlow. Allowing us to flag it due to it having the same WebFlow site key for each phish.

Westpac phishing kit c5c1bfe0

Westpac phishing kit which uses the same CSS files and directory structure across various domains.

Banco de la República (eBROU) Phishing Kit g5d6u78z

Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit. Deployed often on replit.com.

Exfiltration using Form2Chat

Form2Chat is a service that takes HTML form submissions and sends the results to an email address or instant messenger service. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

WebScrapBook website cloner

WebScrapBook is a chrome extension used by phishers to clone target websites. Github: https://github.com/danny0838/webscrapbook

"Validate your account" countdown timer

This phishing kit (reported on by Cofense in 2022, but first seen on urlscan.io in 2018) has a live countdown until a user's email is supposedly "deleted from our server".

Patelco phishing kit 48ba653f

Patelco phishing kit which uses the same stylesheet and form error id across various domains.

Santander Phishing Kit d639dea

Detects a Santander phishing kit using the same stylesheet filename on each domain, also includes an indicator referring to a `div` element's `id` attribute as "shittymodal".

Shopify phishing kit c546c6a9

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

Banco de la Nación Phishing Kit 0blz45du

Detects a Banco de la Nación phishing kit using a form action URL and a button ID that only appears in this kit. Deployed often on replit.com.

Generic Email ec34bc68

A generic email phishing kit loading CSS from an appspot project using a hard-coded access token.

Adobe Phishing Kit 5c70696

Adoba phishing kit which uses the same `template` element `id` attribute as well as having the same value inside the `noscript` tags.

Commbank phishing kit displaying a fake login

Commbank phishing kit displaying a fake login

Facebook phishing kit displaying a faked post

A Facebook phishing kit displaying a faked post

Exfiltration using NoCodeForm

NoCodeForm is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Save Page WE website saver

Save Page WE is a chrome extension used by phishers to clone a target website and save it as a single HTML file. Unlike HTTrack (another commonly used tool): * It's a browser extension so doesn't require any additional tools to be installed. * It saves pages as a single HTML file (with all assets embedded in it) which makes the resulting kit more portable and easier to deploy.

SingleFile website cloner

SingleFile is a Chrome extension allowing you to save a complete webpage (HTML, CSS, JS, etc.) into a single file.

Dubai Islamic Bank Phishing Kit e6f3d238

Dubai Islamic Bank Phishing Kit that uses a fake login page

Discord Phishing Kit 664a17b

Discord phishing kit that uses a external application invite as a lure, as well as the real DiscordServer discord bot logo to make it seem legitmate. Once the user clicks the button labelled authorize it will open a pop-up window mimicking the Discord login page pretty poorly. This rule uses the fact that the same CSS file name is used across all domains that use this kit.

ipapi

ipapi is a GeoIP service allowing you to get the country code and other information from an IP address. It's regularly used by phishing kits which want to hide themselves to analysts outside the country they're targeting. This is a very naive approach (often the entire phishing site is loaded but then immediately redirected away from), but is often enough to evade basic sandboxes.

Microsoft Tech Support Kit 0589be7

A Microsoft Tech support kit containing an audio file used across many different domains. As well as a JS function that is used to get the phone number from the URL parameters.

Shopify phishing kit YgjX6

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

Suncoast Credit Union Phishing Kit 4c74e401

Detects a Suncoast Credit Union phishing kit that uses the same commented out JS and static VIcurrentDateTime value on all domains.

Facebook Phishing Kit 887906f

Detects a Facebook phishing kit targeting Vietnamese users. Using sexual lures such as 'Vietnamese Sexy Beauty Group'

Banco Santa Fe phishing kit 9d6d57a2

Banco Santa Fe phishing kit which uses the same CSS and JS files.

HSBC phishing kit ea738a3

HSBC phishing kit which uses the same fake login detected HTML element across various domains.

UPS Phishing Kit 69b689e

Detects a UPS phishing kit using a fake parcel ID to lure victims in, additionally has a high entropy string that does not change assigned as the `data-upstoken` attribute of a HTML element within the page, possibly left behind when the original UPS page was cloned.

Banco Promerica Phishing Kit ef73ish1

Detects a Banco Promerica phishing kit with images and form action URL that only appears in this kit. Deployed often on replit.com.

Cazanova phishing kit

Cazanova is the alias of a prolific phishing kit creator. Lucky for us, they like to sign their work by using `cazanova` for their cookie name rather than the default `PHPSESSID`, which makes it simple to identify their work.

Discord phishing kit 8c89c4f

Discord phishing kit containing an image URL that only appears in phishing pages

Exfiltration using formspree.io

Formspree is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Generic crypto scam 0694191

Generic Crypto Scam phishing kit that includes a reference to the owner of the website via a HTML link tag

Exfiltration using getform.io

getform is a service that takes HTML form submissions and sends the results to an email address. It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Mark of the Web

The "Mark of the Web" is an Internet Explorer compatibility feature inserted into HTML by browsers when using their "Save webpage" feature. The comment includes the original URL that the HTML was cloned from.

Santander Phishing Kit 5d1468e

Detects a Santander phishing kit targeting Polish victims, this kit uses the website cloner browser extension known as [WebScrapBook](https://chrome.google.com/webstore/detail/webscrapbook/oegnpmiddfljlloiklpkeelagaeejfai?hl=en) in order to clone the original page. Github: https://github.com/danny0838/webscrapbook

S-Pankki phishing kit d612de8e

S-Pankki phishing kit which uses the same hidden value across various domains.