Detects a phishing page that uses the disguise of an intellectual property consent form of a crypto news site in order to lure users into installing a malicious bookmark that steals their Discord token.
title: Bookmark Grabber d7eb986c
description: |
Detects a phishing page that uses the disguise of an intellectual
property consent form of a crypto news site in order to lure users
into installing a malicious bookmark that steals their Discord token.
references:
- https://urlscan.io/result/d7eb986c-364b-4308-b434-a85888e6195a
- https://urlscan.io/result/82758014-7cff-475b-b9e9-7dc812252ebf
- https://urlscan.io/result/a54708a1-17ec-4a0f-89b7-134f37a25f02
- https://urlscan.io/result/8e9957cf-09dc-4fdd-bb66-c7cab5136815
detection:
iframe:
html|contains: "document.createElement('iframe')"
frame:
html|contains: "document.createElement('frame')"
localStorage:
html|contains: 'contentWindow.localStorage'
discordDomain:
html|contains: 'discord.com'
condition: (iframe or frame) and localStorage and discordDomain
tags:
- target.cryptoslate
- target.cryptodose
- target.datawallet