Shopify phishing kit f7ejw

Shopify phishing kit containing a high-entropy CSRF token (and a CSP nonce!) which should be a high quality indicator.

References

Recent Detections

  • hxxps://www[.]a-plat[.]se/js/payout/
  • hxxps://www[.]a-plat[.]se/CSS/payout/
  • hxxp://consultorasimplifica[.]pt/Setting/Shopify/Lookup/
  • hxxps://medijskapismenost[.]org[.]rs/SHOPIFY/Shopify/Lookup/
  • hxxps://medijskapismenost[.]org[.]rs/image/payout/Shopify/
  • hxxps://medijskapismenost[.]org[.]rs/ACCESS/Shopify/Lookup/
  • hxxps://medijskapismenost[.]org[.]rs/PAYOUT/Shopify/Lookup/
  • hxxps://medijskapismenost[.]org[.]rs/admin/payout/Shopify/
  • hxxps://drovavsem[.]by/SETTING/Shopify/Lookup/
  • hxxps://drovavsem[.]by/account/payout/Shopify

IOK Rule (edit)

title: Shopify phishing kit f7ejw
description: |
  Shopify phishing kit containing a high-entropy CSRF token (and a CSP nonce!) which should be a high quality indicator.
references:
  - https://urlscan.io/result/bafbb146-c90d-4f19-891e-db6d332be29a

detection:
  csrfToken:
    html|contains: '<meta name="csrf-token" content="f7EjwKRXeUkAp9TxjMR9koiEDewrY9iooSlNrJ67DtV7xk3YG670riERA1yG9bWmS7UCMEdN6tdUPOe1dhM3rg">"'

  nonce:
    html|contains: 'nonce="OVNRlWz7CUGKZN3C2p1cfJiPQfLab8lEY/5N/VdloUw="'

  condition: csrfToken or nonce

tags:
  - kit
  - target.shopify