MUFG Phishing Kit 483cbea7

Detects a phishing page that targets Japanese users of MUFG (Mitsubishi UFJ Financial Group) Bank

This original page seems to have been cloned leaving a trace of the cloner's useragent in the hidden input elements of the website's login form

References

IOK Rule (edit)

title: MUFG Phishing Kit 483cbea7
description: |
    Detects a phishing page that targets Japanese users
    of MUFG (Mitsubishi UFJ Financial Group) Bank

    This original page seems to have been cloned leaving
    a trace of the cloner's useragent in the hidden input 
    elements of the website's login form
   
references:
    - https://urlscan.io/result/483cbea7-5acc-42d3-9e3b-c6d413df2ad6
    - https://urlscan.io/result/0e072075-0244-49fb-88e6-d09ebbbaaedc
    - https://urlscan.io/result/0088bf2a-18ac-4a83-9793-25c113e4c9f4
    - https://urlscan.io/result/6484b228-2b2e-45a4-bbc1-1b004cc26beb

detection:

  clonerUserAgent:
      dom|contains: 'Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1'

  redirectUrl:
      dom|contains: '/info.php?dilefa=iejfeafe454a56f4a8ew4fa684fa3efawe1faw5ef4awe64fa6w54'

  condition: clonerUserAgent and redirectUrl

tags:
  - kit
  - target.mufg
  - target_country.japan