HSBC Phishing Kit ea738a3

HSBC phishing kit which uses the same fake login detected HTML element across various domains.

References

https://urlscan.io/result/ae98e500-1ff5-46f8-9cdc-3f433466bb2c/
https://urlscan.io/result/aa72b513-8260-46e6-a431-0d6e496fc4e3/
https://urlscan.io/result/ff7ef587-fa1c-4ad8-8258-caea477723b4/

IOK Rule (edit)

title: HSBC Phishing Kit ea738a3
description: |
    HSBC phishing kit which uses the same fake login detected
    HTML element across various domains.

references:
    - https://urlscan.io/result/ae98e500-1ff5-46f8-9cdc-3f433466bb2c/
    - https://urlscan.io/result/aa72b513-8260-46e6-a431-0d6e496fc4e3/
    - https://urlscan.io/result/ff7ef587-fa1c-4ad8-8258-caea477723b4/

detection:

    fakeLoginElement:
      html|contains|all:
          - "A login attempt was made in:"
          - "Location: Bangkok, Thailand"
          - "IP : 290.630.232.85"
          - "If this was NOT your please verify your credentials."

    condition: fakeLoginElement

tags:
  - kit
  - target.hsbc