Telekom Deutschland Phishing Kit 34f36ea7

Detects a Telekom Deutschland phishing kit.

This kit forgot to remove the high entropy strings generated by the original website used for anti-CSRF purposes.

References

https://urlscan.io/result/34f36ea7-9998-47da-870d-565d0686fe20
https://urlscan.io/result/d71f8de0-d3d3-49d5-bfe6-158bcf4faef4

IOK Rule (edit)

title: Telekom Deutschland Phishing Kit 34f36ea7
description: |
    Detects a `Telekom Deutschland` phishing kit.
    
    This kit forgot to remove the high entropy strings
    generated by the original website used for anti-CSRF
    purposes.
    
references:
    - https://urlscan.io/result/34f36ea7-9998-47da-870d-565d0686fe20
    - https://urlscan.io/result/d71f8de0-d3d3-49d5-bfe6-158bcf4faef4

detection:

    csrfTokenName:
        html|contains: 'xsrf_rU86LhWL7rEI3N39kv0Evw'

    csrfTokenValue:
        html|contains: 'ELotLohGqbr24MkEJvabkg'

    transactionId:
        html|contains: 'cc832e58-f790-49f8-b8bc-1f64b300c52b'

    condition: csrfTokenName and csrfTokenValue and transactionId

tags:
  - kit
  - target.telekom_deutschland