MyGovAU Phishing Kit d0a5f9fd

Detects a phishing kit using the MyGov Australia branding.

References

https://urlscan.io/result/d0a5f9fd-b960-47a5-8b44-3f9c7ffc9cd8
https://urlscan.io/result/d9b6c4f6-3f15-417c-bcc8-e03e9c91e702

IOK Rule (edit)

title: MyGovAU Phishing Kit d0a5f9fd
description: |
    Detects a phishing kit using the MyGov Australia branding.

references: 
    - https://urlscan.io/result/d0a5f9fd-b960-47a5-8b44-3f9c7ffc9cd8
    - https://urlscan.io/result/d9b6c4f6-3f15-417c-bcc8-e03e9c91e702

detection:
    chromeHTMLFragments:
        html|contains|all:
            - '<form id="mygov-login-form" aria-describedby="error-msg" class="mygov-login-form alternative" action="CONFIG/login_db.php"'
            - 'Sign in with myGov - myGov'
            - 'apiKey: "Gwhrue6nv7INVxMChew6XgpGD3_aLJ3imwX5OnvbETNpA"'

    stylesheet:
        html|contains|all: 
            - '/css/mgv2-application.css'
            - '/css/blugov.css'

    condition: chromeHTMLFragments and stylesheet

tags:
  - kit
  - target.mygovau