Banco Galicia Phishing Kit bd53a32

Detects a Banco Galicia phishing kit deployed quite oftenly on replit.com.

References

Recent Detections

hxxps://webbedfullperformance[.]rafalhavca[.]repl[.]co/

urlscan.io
hxxps://floyn235692livaing[.]bussnees[.]repl[.]co/

urlscan.io
hxxp://floyn235692livaing[.]bussnees[.]repl[.]co/

urlscan.io
hxxp://sntprvateggalicia[.]sntmailsguridqd[.]repl[.]co/

urlscan.io
hxxps://sup[.]torrentepog[.]repl[.]co/

urlscan.io
hxxps://mutedutilizedblogsar--dia22092022[.]repl[.]co/

urlscan.io
hxxps://a60b1901-2875-476b-b75d-909eaed6f3ab[.]id[.]repl[.]co/

urlscan.io
hxxps://galitokendesblo[.]desblotokengali[.]repl[.]co/

urlscan.io
hxxp://bisqueaverageabstracttype[.]phpweservin[.]repl[.]co/

urlscan.io
hxxps://h0me-bank1ng00[.]fgrtherftgh[.]repl[.]co/

urlscan.io

IOK Rule (edit)

title: Banco Galicia Phishing Kit bd53a32
description: |
    Detects a Banco Galicia phishing kit deployed quite oftenly on `replit.com`.
    
references:
    - https://urlscan.io/result/bd53a324-fc80-4bd5-801e-e9b3f10f3564
    - https://urlscan.io/result/c88ca20b-ab76-415e-90b5-08f36fcacedd

detection:

    formDefinition:
      html|contains: '<form action="secure.php" method="post" id="form1">'

    credentialFieldNames:
      html|contains|all:
        - 'name="sol"'
        - 'name="nahual"'
        - 'name="chaneque"'
   
    condition: formDefinition and credentialFieldNames

tags:
  - target.bancogalicia
  - target_country.argentina