Facebook Phishing Kit 83d65db

Detects a Facebook phishing kit created by an
Indonesian threat actor, that uses the disguise of a victim's account being restricted and requires them to login again.

References

https://urlscan.io/result/83d65db8-13eb-4c5d-a3d9-3edcd549e01a

IOK Rule (edit)

title: Facebook Phishing Kit 83d65db
description: |
    Detects a Facebook phishing kit created by an   
    Indonesian threat actor, that uses the disguise 
    of a victim's account being restricted and 
    requires them to login again.

references:
    - https://urlscan.io/result/83d65db8-13eb-4c5d-a3d9-3edcd549e01a

detection:

    fakeCaseNumber:
      html|contains: '1008501933214'

    exfilPHPScript:
      html|contains: 'eriktohir.php'
    
    fullDateJSVariable:
      js|contains: 'tanggallengkap'

    condition: fakeCaseNumber and exfilPHPScript and fullDateJSVariable

tags:
  - kit
  - target.facebook