Facebook Appeal Form Phishing Kit 91f3caf

Detects a fake Facebook appeal form, that phishes for credentials, the kit was designed by an Arabic-speaking threat actor.

References

https://urlscan.io/result/1cc9fce4-7b0b-47bd-938d-ee2df6ab858b
https://urlscan.io/result/91f3caf0-6164-48da-9a28-3bf30f812500

IOK Rule (edit)

title: Facebook Appeal Form Phishing Kit 91f3caf
description: |
    Detects a fake Facebook appeal form, that 
    phishes for credentials, the kit was 
    designed by an Arabic-speaking threat actor.
    
references:
  - https://urlscan.io/result/1cc9fce4-7b0b-47bd-938d-ee2df6ab858b
  - https://urlscan.io/result/91f3caf0-6164-48da-9a28-3bf30f812500
    
detection:
  
  exfilCode:
    js|contains|all: 
        - 'desk-meta'
        - '/api/activity'
        - 'mpassword.php'
        - 'Rahmetli i ri'

  facebookLogo:
    html|contains: 'images/fbSmallLogo.png'
    
  appealForm:
    html|contains|all:
        - 'RegForm'
        - 'return submitForm()'
        - 'Help Center'
    

  condition: exfilCode and facebookLogo and appealForm
  
tags:
  - kit
  - target.facebook