Bancolombia Phishing Kit aUwvKPIV

Detects a phishing kit targetting Bancolombia, which is often deployed on replit.com. Uses api.ipify.org to fetch the victim's IP. Harvested credentials are delivered into the scammer's Telegram channel.

References

Recent Detections

  • hxxps://dev-din4mic4bancoomb14[.]pantheonsite[.]io/bancolo
  • hxxp://bancolombi1a-actualiz4cion[.]pag3f0un[.]go[.]yj[.]fr/
  • hxxps://www[.]bancolombi1a-actualiz4cion[.]pag3f0un[.]go[.]yj[.]...
  • hxxp://sbancolombiaincio9t6[.]iceiy[.]com/?i=2
  • hxxps://04396a8d-6785-4758-8bd2-c40e487bea9f[.]id[.]repl[.]co/
  • hxxp://04396a8d-6785-4758-8bd2-c40e487bea9f[.]id[.]repl[.]co/
  • hxxps://widelikablepatterns[.]asesorcomercial[.]repl[.]co/
  • hxxps://dev-s20-90-o[.]pantheonsite[.]io/files
  • hxxp://cd60e2c9-6b25-4361-8a8e-bc74b0898b93[.]id[.]repl[.]co/
  • hxxp://validacionclavedina[.]useevali[.]repl[.]co/

IOK Rule (edit)

title: Bancolombia Phishing Kit aUwvKPIV
description: |
    Detects a phishing kit targetting Bancolombia, which is often deployed on `replit.com`. Uses `api.ipify.org` to fetch the victim's IP.
    Harvested credentials are delivered into the scammer's Telegram channel.
    
references:
    - https://urlscan.io/result/eec45a86-7b2e-4924-9d2a-70164653692e/
    - https://urlscan.io/result/c419e0d3-1a0d-49f3-814d-211027d681c8

detection:

    ip:
      html|contains|all:
        - $("#ip")
        - id="gfg"
        - id="address"

    img:
      html|contains|all:
        - src="index_files/imgPublicidad.jpg"
        - class="mua-imgLogoItem"

    form:
      html|contains:
        - onsubmit="return sender()"

    script:
      html|contains:
        - src="js/sax.js"
   
    condition: ip and img and form and script

tags:
  - target.bancolombia
  - target_country.colombia