Bancolombia Phishing Kit nFimdX

Detects a phishing kit targeting Bancolombia. This was found as a result of this kit being deployed on Replit.

This kit has a different message than others. (Enter your current data to cancel the blocking of your Dynamic Key)

References

IOK Rule (edit)

title: Bancolombia Phishing Kit nFimdX
description: |
    Detects a phishing kit targeting Bancolombia.
    This was found as a result of this kit being deployed on Replit.
    
    This kit has a different message than others.
    (Enter your current data to cancel the blocking of your Dynamic Key)


references:
    - https://urlscan.io/result/aa740cd0-4425-41f3-ba8d-d6c21d40f6a3/
    - https://urlscan.io/result/c7261902-0d35-4580-900d-1ba95c77c5fd/
    - https://urlscan.io/result/423ae757-e8a2-4b1e-b740-d8fca8d40391/

detection:

    form:
      html|contains: form action="data.php" method="post" class="form_contact"

    image:
      html|contains: <img src="css/c4.

    background:
      html|contains|all:
        - <img _ngcontent-awt-c52="" src="./css/trazo1.png" alt="" class="trazo1">
        - <img _ngcontent-awt-c52="" src="./css/trazo2.png" alt="" class="trazo2">
        - <img _ngcontent-awt-c52="" src="./css/trazo3.png" alt="" class="trazo3">

    condition: form and image and background

tags:
  - kit
  - target.bancolombia
  - target_country.colombia