Navy Federal Credit Union Phishing Kit 7fh9xqpk

Navy Federal Credit Union phishing kit cloned with Save Page WE. The kit uses the obfuscated function _f0 to send credentials to a telegram chat. Save Page WE is a chrome extension used by phishers to clone a target website and save it as a single HTML file

References

IOK Rule (edit) 

title: Navy Federal Credit Union Phishing Kit 7fh9xqpk
description: |
  Navy Federal Credit Union phishing kit cloned with Save Page WE.
  The kit uses the obfuscated function `_f0` to send credentials to a telegram chat.
  Save Page WE is a chrome extension used by phishers to clone a target website and save it as a single HTML file

references:
  - https://urlscan.io/result/0b9420f8-5aa2-442f-9e0c-ec3813aaea2a
  - https://urlscan.io/result/65e0bb5b-76f0-45a1-a60f-af9971ea83ca

related:
  - id: savepage-we

detection:
  pageTitle:
    title: "Navy Federal Credit Union - Our Members are the MissionĀ®"

  cloned:
    dom|contains: "Thu Mar 25 2021 16:38:13 GMT+0300 (East Africa Time)"

  javascript:
    js|contains|all:
      - "sendEmail"
      - "function _f0"

  condition: all of them

tags:
  - kit
  - target.navyfederal