Facebook Phishing Kit d47226ee

Facebook (Meta for Business) phishing kit that communicates with a master server/API in order to exfiltrate credentials entered.

This kit has several anti analysis capabilities, such as being able to redirect to a non-existent domain if the organization owning the IP address of the viewer is part of a pre-defined list, which is defined in the javascript code.

References

IOK Rule (edit)

title: Facebook Phishing Kit d47226ee
description: |
    Facebook (Meta for Business) phishing kit 
    that communicates with a master server/API
    in order to exfiltrate credentials entered.

    This kit has several anti analysis capabilities, 
    such as being able to redirect to a non-existent 
    domain if the organization owning the IP address 
    of the viewer is part of a pre-defined list, which
    is defined in the javascript code.
    
references:
  - https://urlscan.io/result/d47226ee-0e03-4978-a9b8-1719ed43cfa4
  - https://urlscan.io/result/3291f27f-c62d-4713-877c-91e7085af833
  
detection:
    
    kitAssets:
      requests|contains|all:
        - '62b0718b3254f2a8ab0f.png'
        - 'montserrat-latin-400-normal.acb6629fe45c43ad5d8b.woff2'
        
    kitAPI:
      requests|contains: 'flexflex.online'

    condition: kitAssets and kitAPI

tags:
  - kit
  - target.facebook