Suncoast Credit Union Phishing Kit 4c74e401

Detects a Suncoast Credit Union phishing kit that uses the same commented out JS and static VIcurrentDateTime value on all domains.

References

IOK Rule (edit)

title: Suncoast Credit Union Phishing Kit 4c74e401
description: |
  Detects a Suncoast Credit Union phishing kit that uses the same commented out JS and static VIcurrentDateTime value on all domains.

references:
  - https://urlscan.io/result/4c74e401-5e7b-4c4b-89e4-2ebf29a086a8/
  - https://urlscan.io/result/6d788603-dedb-4ecc-85fc-2b8ff6dcef05/
  - https://urlscan.io/result/ecaa79cf-e514-48f4-a169-40446a3830c9/

detection:

  commentedOutJS:
    html|contains: '<script async type="text/javascript" src="ajax/css/images/custom/suncoast/sed-suncoast-46110420.js" id="_imp_apg_dip_" _imp_apg_cid_="sed-suncoast-46110420" _imp_apg_api_domain_="https://us.gimp.zeronaught.com"></script>'

  viCurrentDateTime:
    html|contains: '<meta name="VIcurrentDateTime" content="637791568414341755">'

  condition: commentedOutJS and viCurrentDateTime

tags:
  - kit
  - target.sccu