Banco de Galicia Phishing Kit vyk7k7oo

Detects a different Banco de Galicia phishing kit deployed often on replit.com. This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.

References

Recent Detections

  • hxxps://gali[.]globalbank1[.]repl[.]co/
  • hxxps://verificargaliciabanc--resumedate[.]repl[.]co/
  • hxxps://verificargaliciabanc[.]resumedate[.]repl[.]co/
  • hxxps://gal[.]dszsdsa[.]repl[.]co/
  • hxxps://f18cd301-41f3-421d-92b2-2bc2df41aeab[.]id[.]repl[.]co/
  • hxxps://online--eminentgali[.]repl[.]co/
  • hxxps://online[.]eminentgali[.]repl[.]co/
  • hxxp://237a44e9-287f-41e6-b1ac-966b89d1da93[.]id[.]repl[.]co/
  • hxxps://seguridadbanco--galiciaalert[.]repl[.]co/
  • hxxps://galiciaonline[.]galiciaalert[.]repl[.]co/

IOK Rule (edit)

title: Banco de Galicia Phishing Kit vyk7k7oo
description: |
    Detects a different Banco de Galicia phishing kit deployed often on `replit.com`.
    This kit uses JavaScript to dynamically load the login form HTML after you click on a SVG.
    
references:
    - https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192
    - https://urlscan.io/result/55813f6a-a910-461a-a0d2-0bae4574ae92/
    - https://urlscan.io/result/8167a56a-1843-4704-bc2d-3b52b3e34192/

detection:

    script:
      html|contains:
        - src="js/scrp.js"

    img:
      html|contains|all:
        - src="im/lg-gal.svg"
        - src="im/on-bn.svg"
        - class="lg-gal

    condition: script and img

tags:
  - target.bancogalicia
  - target_country.argentina