Banco Galicia Phishing Kit bd53a32

Detects a Banco Galicia phishing kit deployed quite oftenly on replit.com

References

Recent Detections

  • hxxps://onlinebankgaliciahome[.]ZellePayment[.]repl[.]co
  • hxxps://GaliciaHomeBan1212[.]honNankinggalic[.]repl[.]co
  • hxxps://BankiingGalcom[.]login679[.]repl[.]co
  • hxxps://APPGALIC[.]Androidgl[.]repl[.]co
  • hxxps://unitspuerficialcaso17365[.]importtcaso4510[.]repl[.]co
  • hxxps://Verificaciondedatosx[.]BancaOnline1[.]repl[.]co
  • hxxps://365onlinebankingalerta365bancogaliciacomar[.]loging09901...
  • hxxps://ElectricNativeProjects[.]damingalic2[.]repl[.]co
  • hxxps://MemorableUniformCondition[.]confirmatehot[.]repl[.]co
  • hxxps://galic006[.]gali006[.]repl[.]co

IOK Rule (edit)

title: Banco Galicia Phishing Kit bd53a32
description: |
    Detects a Banco Galicia phishing kit deployed quite
    oftenly on replit.com
    
references:
    - https://urlscan.io/result/bd53a324-fc80-4bd5-801e-e9b3f10f3564
    - https://urlscan.io/result/c88ca20b-ab76-415e-90b5-08f36fcacedd

detection:

    formDefinition:
      html|contains: '<form action="secure.php" method="post" id="form1">'

    credentialFieldNames:
      html|contains|all:
        - 'name="sol"'
        - 'name="nahual"'
        - 'name="chaneque"'
   
    condition: formDefinition and credentialFieldNames

tags:
  - target.bancogalicia
  - target_country.argentina