Square Enix FFXIV Gil Phishing Kit

Detects a phishing kit targeting square-enix.com with a fake FFXIV forum gil giveaway. Phishing kit consists of two pages, a forum page and a login page.

References

Recent Detections

  • hxxps://forum[.]square-enix[.]com-tw[.]top/ffxiv/forums/935271
  • hxxps://forum[.]square-enix[.]com-eh[.]top/ffxiv/forums/817945
  • hxxp://forum[.]square-enix[.]com-in[.]top/ffxiv/forums/957741/
  • hxxps://forum[.]square-enix[.]com-in[.]top/ffxiv/forums/957741
  • hxxps://forum[.]square-enix[.]com-hj[.]top/ffxiv/forums/914752
  • hxxps://forum[.]square-enix[.]com-ht[.]top/ffxiv/forums/831479/r...
  • hxxps://forum[.]square-enix[.]com-ht[.]top/ffxiv/forums/831479/
  • hxxp://forum[.]square-enix[.]com-qh[.]top/ffxiv/forums/939471/re...
  • hxxp://forum[.]square-enix[.]com-qh[.]top/ffxiv/forums/939471/
  • hxxps://forum[.]square-enix[.]com-rg[.]top/ffxiv/forums/819473/

IOK Rule (edit)

title: Square Enix FFXIV Gil Phishing Kit

description: |
  Detects a phishing kit targeting square-enix.com with a fake FFXIV forum gil giveaway.
  Phishing kit consists of two pages, a forum page and a login page.

references:
  - https://urlscan.io/result/654111fb-82ac-4973-880f-bbaec82694b9/
  - https://urlscan.io/result/67b4fe92-f667-4201-a310-2cd2cf72af8a/
  - https://urlscan.io/result/9e171326-b335-498c-a68f-63e1e16a4499/
  - https://urlscan.io/result/e056ca66-5288-4fb6-8a47-06e03b0f1eba/

detection:

  forumScam:
    html|contains|all:
      - 'threads/429347-Healers-and-6.0-What-we-can-learn-from-AST-and-what-I-d-like-to-see-going-forward'
      - '300M Gil Raffle'

  loginPage1:
    html|contains|all:
      - '.php" method="post"'
      - 'Square Enix ID'
      - 'Square Enix Password'
      - 'One-Time Password'
      - 'name="key_value"'

  loginPage2:
    html|contains|all:
      - '<form id="loginForm" name="login" method="post" action="'
      - '.php">'
      - 'Square Enix ID'
      - 'Square Enix Password'

  condition: forumScam or loginPage1 or loginPage2

tags:
  - kit
  - target.square-enix