1Password Phishing Kit 191635

1Password phishing kit cloned from the legitimate 1password.com login page using Save Page WE.

The first detection was on August 16th although evidence in the kit (the Save Page WE savepage-date timestamp) suggests it was created August 11th.

Like many similar phishing kit, credentials are posted to send.php and then the victim is redirected to the 1password.com login form.

References

IOK Rule (edit)

title: 1Password Phishing Kit 191635
description: |
  1Password phishing kit cloned from the legitimate `1password.com` login page using Save Page WE.
  
  The first detection was on August 16th although evidence in the kit (the Save Page WE `savepage-date` timestamp) suggests it was created August 11th.

  Like many similar phishing kit, credentials are posted to `send.php` and then the victim is redirected to the `1password.com` login form.
  
references:
  - https://twitter.com/nevaluoto/status/1563817443256320001

detection:

  savepageDate:
    html|contains|all:
      - '<meta name="savepage-date" content="Thu Aug 11 2022 19:16:35 GMT+0500'
      - '<meta name="savepage-url" content="https://my.1password.com/signin?l=en">'

  condition: savepageDate

tags:
  - kit
  - target.1password