Banco de Galicia Phishing Kit vyk7k7oo

Detects a different Banco de Galicia phishing kit deployed often on replit.com. This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.

References

https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192
https://urlscan.io/result/55813f6a-a910-461a-a0d2-0bae4574ae92/
https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192/

IOK Rule (edit)

title: Banco de Galicia Phishing Kit vyk7k7oo
description: |
    Detects a different Banco de Galicia phishing kit deployed often on `replit.com`.
    This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.
    
references:
    - https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192
    - https://urlscan.io/result/55813f6a-a910-461a-a0d2-0bae4574ae92/
    - https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192/

detection:

    script:
      html|contains:
        - src="js/scrp.js"

    img:
      html|contains|all:
        - src="im/lg-gal.svg"
        - src="im/on-bn.svg"
        - class="lg-gal

    condition: script and img

tags:
  - kit
  - target.banco_de_galicia
  - target_country.argentina