Steam Phishing Kit 732d40f3

IOK Rule (edit)

title: Steam Phishing Kit 732d40f3
description: |
    Detects Steam phishing pages that obtain their template
    configuration from `/api/getsiteconfig` 
references:
  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118

detection:

    siteConfiguration:
        requests|contains: "/api/getsiteconfig/"
        
    loadedIFrame:
        dom|contains: '<iframe id="iframe" title="main" name="site" style="height: 0px; width: 0px; border: 0px; outline: none; z-index: 1000;"></iframe>'
        
    footerMessage:
        dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'

    condition: siteConfiguration and loadedIFrame and footerMessage

tags:
  - target.steam
  - threat_actor_country.russia