Banco Falabela Phishing Kit 5fed617

Detects a phishing kit targeting Banco Falabella (Colombia) users Deployed often on replit.com.

References

Recent Detections

  • hxxps://dev-aceptar-nuevo-aumento4[.]pantheonsite[.]io/index2.ph...
    urlscan.io
  • hxxps://dev-aceptar-nuevo-aumento4[.]pantheonsite[.]io/
    urlscan.io
  • hxxps://dev-autenticar-usuario-falabella[.]pantheonsite[.]io/
    urlscan.io
  • hxxps://fasldwo[.]webcindario[.]com/
    urlscan.io
  • hxxps://carloslios[.]herokuapp[.]com/
    urlscan.io
  • hxxps://php-web-server[.]crrmcredit2[.]repl[.]co/
    urlscan.io

IOK Rule (edit) 

title: Banco Falabela Phishing Kit 5fed617
description: |
    Detects a phishing kit targeting Banco Falabella (Colombia) users
    Deployed often on `replit.com`.
    
references:
  - https://urlscan.io/result/475d32ad-5860-4a50-aaa3-90226c022533
  - https://urlscan.io/result/c043ef62-8da3-49d1-92b0-b05a8a62d609

detection:

  googleJS:
    requests|contains: 'f(1).txt'

  jsFile:
    requests|contains: 'bfaf6gq7.js.descarga'
    
  condition: googleJS and jsFile

tags:
  - target.bancofalabella
  - target_country.colombia