Bancolombia Phishing Kit 3kyj5nlh

Recent Detections

  • hxxps://bancavirtualcol[.]passwortecovery[.]repl[.]co/
  • hxxps://9[.]8924[.]repl[.]co/
  • hxxps://adequatemonumentaldefinition[.]sasdisadsw[.]repl[.]co/
  • hxxp://aleplmju[.]bacolombiaconfi[.]repl[.]co/
  • hxxps://34569875[.]09886[.]repl[.]co/
  • hxxps://dev-colsecure-bancolombia[.]pantheonsite[.]io/
  • hxxp://alphan[.]762126[.]repl[.]co/
  • hxxps://sucursalbancolombiaproteccion[.]reactivar01[.]repl[.]co/...
  • hxxps://bancolombia-teprotege[.]denloque52[.]repl[.]co/
  • hxxps://burdensomemajorbacktick[.]bancolombixx[.]repl[.]co/

IOK Rule (edit)

title: Bancolombia Phishing Kit 3kyj5nlh
description: |
    Detects a different Bancolombia phishing kit deployed often on replit.com targeting Colombian citizens.

references:
    - https://urlscan.io/result/e5886efa-db1c-419b-8b34-cb7ea945cfc0
    - https://urlscan.io/result/40ceb859-6bb1-47ea-ad37-83f869ed75af
    - https://urlscan.io/result/a054c3a2-3598-4f5a-bc72-f2b93c56be48
    - https://urlscan.io/result/34e08ef5-de06-4355-81eb-08963daea67b
    - https://sucursalpersonas.transaccionesbancolombia.com/mua/USER

detection:

    css:
      html|contains|all:
        - href="./hfh/styles.css"
        - href="./hfh/bootstrap.css"
        - href="./hfh/jquery-ui.css"
        - href="./hfh/ui.css"

    form:
      html|contains:
        - form method="POST" id="main_form" autocomplete="off" action="index2.php"

    divs:
      html|contains|all:
        - div id="contenidoWeb"
        - div id="contenido"
        - div class="mua_tooltip_msg"

    imgs:
      requests|contains|all:
        - icc.png
        - 1es.png
        - imgPublicidad.png

    condition: css and form and divs and imgs

tags:
  - target.bancolombia
  - target_country.colombia