Facebook Phishing Kit 83d65db

Detects a Facebook phishing kit created by an
Indonesian threat actor, that uses the disguise of a victim's account being restricted and requires them to login again.

References

Recent Detections

  • hxxp://101505804668750pj[.]work[.]gd/verif.php
    urlscan.io
  • hxxp://168528620scrtymyacn[.]co[.]vu/verif.php
    urlscan.io
  • hxxp://14155972scrtyissue[.]co[.]vu/verif.php
    urlscan.io
  • hxxp://52007245acnscre[.]co[.]vu/verif.php
    urlscan.io
  • hxxp://127270494394021myacnscrt[.]co[.]vu/verif.php
    urlscan.io
  • hxxp://126201384637824notic[.]co[.]vu/verif.php?/notification-pa...
    urlscan.io
  • hxxp://126201384637824notic[.]co[.]vu/verif.php?//notification-p...
    urlscan.io
  • hxxp://126201384637824notic[.]co[.]vu/verif.php?//notification-p...
    urlscan.io
  • hxxp://42410742acnmyscrt[.]co[.]vu/verif.php
    urlscan.io
  • hxxp://3139166000548acnscr[.]co[.]vu/verif.php
    urlscan.io

IOK Rule (edit) 

title: Facebook Phishing Kit 83d65db
description: |
    Detects a Facebook phishing kit created by an   
    Indonesian threat actor, that uses the disguise 
    of a victim's account being restricted and 
    requires them to login again.

references:
    - https://urlscan.io/result/83d65db8-13eb-4c5d-a3d9-3edcd549e01a

detection:

    fakeCaseNumber:
      html|contains: '1008501933214'

    exfilPHPScript:
      html|contains: 'eriktohir.php'
    
    fullDateJSVariable:
      js|contains: 'tanggallengkap'

    condition: fakeCaseNumber and exfilPHPScript and fullDateJSVariable

tags:
  - kit
  - target.facebook