Generic Latin America Bank Phishing Kit c419e0d

Detects a phishing kit targeting banks for Latin America, these kits are often deployed on replit.com. It uses api.ipify.org to fetch the victim's IP. Harvested credentials are delivered into the scammer's Telegram channel through the use of the sax.js script file.

References

IOK Rule (edit)

title: Generic Latin America Bank Phishing Kit c419e0d
description: |
    Detects a phishing kit targeting banks for Latin America, 
    these kits are often deployed on `replit.com`. 
    It uses `api.ipify.org` to fetch the victim's IP.
    Harvested credentials are delivered into the scammer's Telegram channel
    through the use of the `sax.js` script file.
    
references:
    - https://urlscan.io/result/eec45a86-7b2e-4924-9d2a-70164653692e/
    - https://urlscan.io/result/c419e0d3-1a0d-49f3-814d-211027d681c8

detection:

    ipDisplay:
      html|contains|all:
        - '$("#ip")'
        - 'id="gfg"'
        - 'id="address"'
 
    formFunction:
      html|contains: 'onsubmit="return sender()"'

    scriptFile:
      html|contains: 'src="js/sax.js"'
   
    condition: ipDisplay and formFunction and scriptFile

tags:
  - kit
  - target_region.latin_america