Santander Phishing Kit 5d1468e

Detects a Santander phishing kit targeting Polish victims, this kit uses the website cloner browser extension known as WebScrapBook in order to clone the original page.

Github: https://github.com/danny0838/webscrapbook

References

IOK Rule (edit) 

title: Santander Phishing Kit 5d1468e
description: |
    Detects a Santander phishing kit targeting Polish victims,
    this kit uses the website cloner browser extension known as 
    [WebScrapBook](https://chrome.google.com/webstore/detail/webscrapbook/oegnpmiddfljlloiklpkeelagaeejfai?hl=en) in order to clone the original page.
    
    Github: https://github.com/danny0838/webscrapbook
    
references:
    - https://urlscan.io/result/5d1468ef-2285-4677-9119-c4a1e0c7944d
    - https://urlscan.io/result/b5ff7e40-1c5a-40e0-8548-43c433a2093c
    - https://urlscan.io/result/5b593eca-dbad-4e34-8bfe-433d390182c6

detection:

    originalPageCloned:
      html|contains: 'data-scrapbook-source="https://www.centrum24.pl/centrum24-web/crypt.FJ-rRNimGjjwtNGWNgRdqg/FJ-f8"'

    hiddenInputValue:
      html|contains: 'WETfMAjCP8FO0Q9m87KOMPgf24dSkiqXHus9o5r0oV2Bd8N/j+6ZviYwFjdNurGsTw1jvVP6lw27Iy2rSqavwRlSQ63B9PMMqmlSdbIeDojxFYhHbvS4P29jQAswBb4jRu4dnRRawI8ddwrHxVUG4InQmFUyz3B82WmfR1sSCNqaDu3+4Z6VHq5lMtPp1uUNd9JdsAeSZUTU9jCZvmdLVdvQYM75SOwCq+UaL7Z/8/upXtSMtaf9DBs/D0/bqkgMhok6D0fQysrwP3Yn96HnIakuAAA/oQf6bbJyUQJCSf+JIqUUpa0FKVC6JebzmWqr/zl6kfHMMsonE4yKkpwz4Q==|rHu3U6iZMrRnCxA04EfxbKC+AYkhwc9QV6lZ6oZtuDlr34YJCyjhTf8Ie1NXiNQ6nQkZK3xD6lE/mM2XqFD7C0FQh0uFaDvpHDuGJDF5MFo2Z6xID4MPwXszUuX9LTm3y8noU0aLaSKi5hxE2+gAUjaSzOrlUJ87td8VLgwmtWoy6yktcJBtmyJoRtN9oYOi0ssC0Wa8j+3Cc/PH/OgfIYxaeaUK0sSZlvwizB1NnBrId/tnrFVI5EOQQoZE31NDnkJjuRki/dJMobs5QE3S0kWCsxYnGdn42TJv+xQwk1QbqQ3Vqb9WSS3t+3j2Q9TfpSULCJhgZCVJ6+C6kefQvQ==|WjELHLr214ofTPnwZwwrJoCka805eaRDfVuEcoK+v0jd7oJRSWRXlS+bH28eTZ1nEXxuxlHbNEnOAtWTZzToibHdk1MJ1Pr8uR/Z2eO0isUys8s7Ccj8+vQUbpL5vu5MZ8ndGm5V+8/MfllugFHbszpQ19/hvAeOhWP9dqewayd34VdkWbTDAt6kQ6Zqo7s9gaNakXpoO3AxTbwErjxo8WjxtBMp6HCBcpbGlQjKPOdii3YPFSIS0kjxvWk1up+iI/KVPsjP1uLtiXZqYnQnaL8a3Fm3Kuxa/yGnnbqWSIFz5WZU3FI0+iSIUyWGMJpAFrZ7VEPwgzZ2n+wVoYw7Ng==|WuP01r09HnWK8iDaEPhx0RB+QD4YWgFCj1MbD+zR/NQ55oSccXLpu5h0WV3XNwoe2lpfxPZ3nPW6XMuIZDlE49iQbar3Mo/ElrTpp3Sasg+4vkNQofD7V0VzxclBG007iiIiEVyn2sk/2v7VTeoapbcg9DEVXLwOakKarbYmdDO/1o+wIpeeOCrMdEgHGpJBqsBFmeuW1xEicslX3Zuv5HIqx406/JoaNlb9Q3vLflEJHjZOXVGI3pUD8bUnUXaCMkub3xxMsI0jPCMmkBukSE9JzBb1Kk5Z0V4nr1OAM+wVM7D6nZnkIl373LmerRGfMIinzTKSyCWygbjPJm385Q=='
    
    condition: originalPageCloned and hiddenInputValue

tags:
  - kit
  - target.santander
  - target_country.poland