USPS Phishing Kit 9514901

Detects a USPS phishing kit that uses the same fake tracking ID & same stylesheet on every phish.

References

https://urlscan.io/result/eb515c96-1e02-4d48-a07f-6fe1d1590059
https://urlscan.io/result/6f9262b2-7809-4000-b5d1-d89c90bd16ff
https://urlscan.io/result/532bc1f5-319e-4b1d-abbb-d35057788e7a
https://urlscan.io/result/3b801aaf-ace4-40e0-8653-0fdbe456b9e9
https://urlscan.io/result/d0eb1705-9e5d-40c1-81d9-56c49686b9f9

IOK Rule (edit)

title: USPS Phishing Kit 9514901
description: |
  Detects a USPS phishing kit that uses the same fake tracking ID
  & same stylesheet on every phish.

references:
  - https://urlscan.io/result/eb515c96-1e02-4d48-a07f-6fe1d1590059
  - https://urlscan.io/result/6f9262b2-7809-4000-b5d1-d89c90bd16ff
  - https://urlscan.io/result/532bc1f5-319e-4b1d-abbb-d35057788e7a
  - https://urlscan.io/result/3b801aaf-ace4-40e0-8653-0fdbe456b9e9
  - https://urlscan.io/result/d0eb1705-9e5d-40c1-81d9-56c49686b9f9

detection:

  fakeTrackingId:
    html|contains: 'class="tracking-number"> US9514901185421</span>'

  stylesheet:
    requests|contains: '1.css?apiType=css&projectid=ee38900c-6459-4e0c-95d6-896c0208d3d0'

  condition: fakeTrackingId and stylesheet

tags:
  - kit
  - target.usps