Spox Chase Phishing Kit 8b20b051

Detects a phishing kit targeting users of Chase Bank.

The phishing kit is called Spox after the name of the kit author.

References

https://lukeleal.com/research/posts/spox-phishing-kit
https://urlscan.io/result/20608545-c0f1-4c39-b2d8-71c4b7270fa1
https://urlscan.io/result/8b20b051-31aa-4a2c-a40b-0493574a7372

IOK Rule (edit)

title: Spox Chase Phishing Kit 8b20b051
description: |
    Detects a phishing kit targeting users of Chase Bank.
    
    The phishing kit is called `Spox` after the name of the
    kit author.
    
references:
  - https://lukeleal.com/research/posts/spox-phishing-kit
  - https://urlscan.io/result/20608545-c0f1-4c39-b2d8-71c4b7270fa1
  - https://urlscan.io/result/8b20b051-31aa-4a2c-a40b-0493574a7372

detection:

  filepath:
    html|re: '(Spox|Crax)\/Files'
    
  signature:
    html|contains: 'name="spox" value="fuck_you_bot"'
    
  condition: filepath and signature

tags:
  - kit
  - threat_actor.spox
  - target.chase