UPS Phishing Kit 69b689e

Detects a UPS phishing kit using a fake parcel ID to lure victims in, additionally has a high entropy string that does not change assigned as the data-upstoken attribute of a HTML element within the page, possibly left behind when the original UPS page was cloned.

References

Recent Detections

  • hxxps://upsedjs[.]builderallwppro[.]com/hi/su/?utm_campaign=of_f...
  • hxxps://brazzersboxnew[.]com/wp-content/re.php
  • hxxps://preeminent[.]preeminentbrands[.]net/ups/
  • hxxps://app[.]getresponse[.]com/click.html?x=a62b&lc=SmRv2E&mc=0...
  • hxxps://deliverynotice[.]builderallwppro[.]com/add//
  • hxxps://u30319867[.]ct[.]sendgrid[.]net/ls/click?upn=WiZuzuSlw37...
  • hxxps://parcelserviceunitedstate[.]builderallwppro[.]com/add/?ut...
  • hxxps://u30287637[.]ct[.]sendgrid[.]net/ls/click?upn=9z7sRXGOmxK...
  • hxxps://u30287637[.]ct[.]sendgrid[.]net/ls/click?upn=9z7sRXGOmxK...
  • hxxps://u30287637[.]ct[.]sendgrid[.]net/ls/click?upn=9z7sRXGOmxK...

IOK Rule (edit)

title: UPS Phishing Kit 69b689e
description: |
    Detects a UPS phishing kit using a fake parcel ID to lure victims in, 
    additionally has a high entropy string that does not change assigned 
    as the `data-upstoken` attribute of a HTML element within the page, 
    possibly left behind when the original UPS page was cloned. 
    
references:
    - https://urlscan.io/result/24ecab33-02be-4213-9e94-e362f12f9357
    - https://urlscan.io/result/6fd8922a-873c-4ae4-98e8-b93f3f15a6cc
    - https://urlscan.io/result/b3259998-efb3-4865-b936-9c81c020f997

detection:

    fakeParcelID:
      html|contains: 'RAxxxxxxxxxUS'

    upsDataToken:
      html|contains: '69b689e92856af4eda14fb2bd0418c69158f2943d18691e934ada3ceefb3b914f225910c8bbd05dc221d336eac174899277c8bef3b610c7aa622d42913525889'


    condition: fakeParcelID and upsDataToken

tags:
  - target.ups