Steam Phishing Kit jIwQMP

Detects a phishing kit impersonating Discord and targeting Steam users with a fake popup that opens when the "Get Nitro" button is clicked. The site promises to give you a free Discord Nitro subscription upon entering your Steam credentials.

This phishing kit has been discovered by the FishFish.gg team.

References

IOK Rule (edit)

title: Steam Phishing Kit jIwQMP
description: |
    Detects a phishing kit impersonating Discord and targeting Steam users with a fake popup that opens when the "Get Nitro" button is clicked. 
    The site promises to give you a free Discord Nitro subscription upon entering your Steam credentials.
    
    This phishing kit has been discovered by the FishFish.gg team.

references:
    - https://urlscan.io/result/7d69a2f2-047e-4e82-89ed-bac9d322c662/

detection:

    title:
      html|contains:
        - <title>Free Discord Nitro from Steam</title>

    css:
      html|contains|all:
        - link href="/c29e212f2e1d1360ad262d5e56437edf69d4b16111c5/6fce5123c54fab983c7d6685168525c2d9f7f5f5f161.css" rel="stylesheet"
        - link href="/c29e212f2e1d1360ad262d5e56437edf69d4b16111c5/609e858fb15ecb308dd736273f0c5a23e7ef90a6d7ed.css" rel="stylesheet"
        - link href="/c29e212f2e1d1360ad262d5e56437edf69d4b16111c5/800e2135483e49ce84fedb4c685bdc1e6065fea8f5e0.css" rel="stylesheet"
        - link href="/c29e212f2e1d1360ad262d5e56437edf69d4b16111c5/03269d738aed6b1925fa085ad5427e1dddd8a5144b09.css" rel="stylesheet"
        - link href="/c29e212f2e1d1360ad262d5e56437edf69d4b16111c5/4cd84e662b43c81f546a50a0df62bffa39a7a13915e4.css" rel="stylesheet"


    condition: title and css

tags:
  - kit
  - target.discord
  - target.steam