Facebook phishing kit with peculiar opengraph tags

A Facebook phishing kit which includes some peculiar OpenGraph tags originally from https://www.jpl.nasa.gov/news/testing-proves-its-worth-with-successful-mars-parachute-deployment

Recent Detections

  • hxxps://business-page-appeal-125326-02[.]firebaseapp[.]com/
  • hxxps://business-page-appeal-129862-20[.]firebaseapp[.]com/
  • hxxp://appeal-form-fb-copyright112515[.]web[.]app/
  • hxxp://business-page-appeal-1043-2301[.]web[.]app/
  • hxxp://business-appeal-alert-16236-21[.]web[.]app/
  • hxxp://business-page-appeal-1234-2235[.]web[.]app/
  • hxxp://business-appeal-form192751[.]firebaseapp[.]com/
  • hxxp://business-appeal-form192751[.]web[.]app/
  • hxxp://business-appeal-form1928751[.]web[.]app/
  • hxxps://business-appeal-form192751[.]firebaseapp[.]com/

IOK Rule (edit)

title: Facebook phishing kit with peculiar opengraph tags
description: |
  A Facebook phishing kit which includes some peculiar OpenGraph tags originally from https://www.jpl.nasa.gov/news/testing-proves-its-worth-with-successful-mars-parachute-deployment 

detection:
  ogTags:
    html|contains:
      - <meta property="og:title" content="Testing Proves Its Worth With Successful Mars Parachute Deployment">
      - <meta property="og:description" content="Testing Proves Its Worth With Successful Mars Parachute Deployment" />

  newsArticle: # the HTML tags are also present on the original page so exclude some text from that article
    html|contains:
      - "The giant canopy that helped land Perseverance on Mars was tested here on Earth at NASA’s Wallops Flight Facility in Virginia."
  condition: ogTags and not newsArticle

tags:
  - target.facebook