Facebook Account Recovery Phishing Kit 0e420f8

Detects a Facebook phishing kit, telling the victim to enter their details to reactivate their account.

References

https://urlscan.io/result/0e420f8e-1743-41dc-82cd-13f3a2b73d28
https://urlscan.io/result/e2a62f41-1aa9-4de9-8e64-d3b56dcf958d

IOK Rule (edit)

title: Facebook Account Recovery Phishing Kit 0e420f8
description: |
    Detects a Facebook phishing kit, telling the victim
    to enter their details to reactivate their account.

references:
  - https://urlscan.io/result/0e420f8e-1743-41dc-82cd-13f3a2b73d28
  - https://urlscan.io/result/e2a62f41-1aa9-4de9-8e64-d3b56dcf958d

detection:

  fontStylesheet:
    requests|contains: 'https://db.onlinewebfonts.com/c/0c5e6f133b0b25edfed47aca4ab57676?family=Segoe+UI+Historic'

  pageStylesheet:
    html|contains: 'styles.c9105ee458e38d6dd088.css'

  condition: fontStylesheet and pageStylesheet

tags:
  - kit
  - target.facebook