Cazanova phishing kit | phish.report

Cazanova is the alias of a prolific phishing kit creator. Lucky for us, they like to sign their work by using cazanova for their cookie name rather than the default PHPSESSID, which makes it simple to identify their work.

References

https://www.wmcglobal.com/blog/cazanova-morphine-kit-deep-dive

Recent Detections

hxxps://www[.]bofa[.]misecure[.]com/

urlscan.io
hxxps://ogoutttwere[.]work[.]gd/

urlscan.io
hxxps://tenplus[.]vn/wp-admin/cox1/0/authen

urlscan.io
hxxps://homieonlineverifyupdate[.]work[.]gd/

urlscan.io
hxxps://thoitrang[.]gcosoftware[.]vn/wp-admin/-/-/cox1/0/authen

urlscan.io
hxxps://vinhomes[.]gcosoftware[.]vn/wp-admin/cox1/0/authen

urlscan.io
hxxps://monzo-account-login[.]com/

urlscan.io
hxxps://mn[.]is/wRIHc?45656v64b564564b5645

urlscan.io
hxxps://institutoarrayanes[.]edu[.]mx/

urlscan.io
hxxps://www[.]mt[.]misecure[.]com/

urlscan.io

IOK Rule (edit)

title: Cazanova phishing kit
description: |
  Cazanova is the alias of a prolific phishing kit creator.
  Lucky for us, they like to sign their work by using `cazanova` for their cookie name rather than the default `PHPSESSID`, which makes it simple to identify their work.
references:
  - https://www.wmcglobal.com/blog/cazanova-morphine-kit-deep-dive

detection:
  cazanovaCookie:
    cookies|startswith: "cazanova="

  condition: cazanovaCookie

tags:
  - threat_actors.cazanova