Facebook phishing kit with peculiar opengraph tags

A Facebook phishing kit which includes some peculiar OpenGraph tags originally from https://www.jpl.nasa.gov/news/testing-proves-its-worth-with-successful-mars-parachute-deployment

Recent Detections

  • hxxps://appeal-form-fb-copyright112515[.]firebaseapp[.]com/
    urlscan.io
  • hxxp://fb-metacase12412501239213[.]firebaseapp[.]com/
    urlscan.io
  • hxxps://business-appeal-form1928751[.]firebaseapp[.]com/
    urlscan.io
  • hxxp://business-appeal-form1928751[.]firebaseapp[.]com/
    urlscan.io
  • hxxp://fb-metacase12412501239213[.]web[.]app/
    urlscan.io
  • hxxps://fb-metacase12412501239213[.]firebaseapp[.]com/
    urlscan.io
  • hxxps://fb-metacase12412501239213[.]web[.]app/
    urlscan.io
  • hxxps://fb-metacase2358719082540918123[.]firebaseapp[.]com/
    urlscan.io
  • hxxps://fb-metacase158123700441[.]web[.]app/
    urlscan.io
  • hxxps://fb-metacase1352359182498215[.]firebaseapp[.]com/
    urlscan.io

IOK Rule (edit) 

title: Facebook phishing kit with peculiar opengraph tags
description: |
  A Facebook phishing kit which includes some peculiar OpenGraph tags originally from https://www.jpl.nasa.gov/news/testing-proves-its-worth-with-successful-mars-parachute-deployment 

detection:
  ogTags:
    html|contains:
      - <meta property="og:title" content="Testing Proves Its Worth With Successful Mars Parachute Deployment">
      - <meta property="og:description" content="Testing Proves Its Worth With Successful Mars Parachute Deployment" />

  newsArticle: # the HTML tags are also present on the original page so exclude some text from that article
    html|contains:
      - "The giant canopy that helped land Perseverance on Mars was tested here on Earth at NASA’s Wallops Flight Facility in Virginia."
  condition: ogTags and not newsArticle

tags:
  - target.facebook