ipapi

ipapi is a GeoIP service allowing you to get the country code and other information from an IP address. It's regularly used by phishing kits which want to hide themselves to analysts outside the country they're targeting.

This is a very naive approach (often the entire phishing site is loaded but then immediately redirected away from), but is often enough to evade basic sandboxes.

Recent Detections

  • hxxps://deutschepost-id[.]me
  • hxxps://login[.]ezbooks[.]pk
  • hxxps://sgp1[.]digitaloceanspaces[.]com/myfax13/index.html?YW5kc...
  • hxxps://bafybeicsjkcef4jqqhaln4ecxk6t2hvgcnb6pywclmzdsgq4sjqwnk7...
  • hxxps://support-helpcenter16893327[.]web[.]app/appeal.html
  • hxxps://support-helpcenter16893327[.]web[.]app/page2.html
  • hxxps://support-helpcenter785136190[.]web[.]app/appeal.html
  • hxxps://support-helpcenter785136190[.]web[.]app/page2.html
  • hxxps://support-helpcenter2168917101[.]web[.]app/page2.html
  • hxxps://support-helpcenter2168917101[.]web[.]app/appeal.html

IOK Rule (edit)

title: ipapi
description: |
  ipapi is a GeoIP service allowing you to get the country code and other information from an IP address. It's regularly used by phishing kits which want to hide themselves to analysts outside the country they're targeting.
  
  This is a very naive approach (often the entire phishing site is loaded but then immediately redirected away from), but is often enough to evade basic sandboxes. 

detection:
  ipapiLookup:
    html|contains: "https://ipapi.co/"

  condition: ipapiLookup

tags:
  - cloaking