Unique kit IDs

title: Unique kit IDs description: | It's useful to detect not only that a site is malicious, but specifically *which* phishing kit it's hosting. Some website design choices make this very easy. We can look for values in the page which are usually unique per request, but which during the cloning process get fixed at a specific value. level: confirmed_malicious detection: uniqueID: # 1. Go to the urlscan.io result for this phishing site: https://urlscan.io/result/9f77c70d-1f21-4205-97ba-b9d5f679d0a3#transactions # 2. Click on the "Show response" button next to the "Primary Request" # 3. Look at the HTML and find the "data-trekkie-device-id" attribute # 4. Copy the value into the html|contains matcher html|contains: data-trekkie-device-id="🤔" # Why does this work? # The data-trekkie-device-id attribute is a unique ID generated by Shopify and stored # in a cookie for analytics/tracking purposes. # Because it's a randomly generated UUID, every value is likely unique across the internet! # When a phisher bases their kit on the real Shopify login page, they often include this value by accident. shopifyFont: # This rule relies on matching values within the content of the page HTML. # But, most threat intel sources do not support directly searching within HTML (this is too much data to index). # Instead, we've added a redundant property here which acts as a hint to the rule engine. # Read more about how IOK rules are run here: https://phish.report/blog/iok-rule-conversion requests|endswith: /shopify-marketing_assets/static/ShopifySans--bold.woff2 condition: shopifyFont and uniqueID

Rule matches

Quick Reference

IOK rules allow you to detect (potential/likely/confirmed) phishing sites by matching on various properties of the website like the text on the page, the cookies set, and the filenames of the assets loaded.

Fields

  • Hostname
    hostname
    Type
    string
    Description

    The hostname of the site.

    e.g. www.phish.domain

  • Title
    title
    Type
    string list
    Description

    The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains all of them.

    e.g. Login | My Bank

  • HTML
    html
    Type
    string
    Description

    The contents of the page HTML (as returned by the server).

    e.g. <html><head>....</html>

  • DOM
    dom
    Type
    string
    Description

    The contents of the page HTML after loading (e.g. after javascript has executed and modified the page).

    e.g. <html><head>....</html>

  • JS
    js
    Type
    string list
    Description

    Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally).

    e.g. !function(e,t){"object"==typeof module&&

  • CSS
    css
    Type
    string list
    Description

    Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)

    e.g. .redTitle {color: red;}

  • Cookies
    cookies
    Type
    string list
    Description

    Cookies from the page. Each is in the form cookieName=value

    e.g. PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

  • Headers
    headers
    Type
    string list
    Description

    Headers sent by the server. Each is in the form Header-Name: value

    e.g. X-Powered-By: PHP/7.4.33

  • Requests
    requests
    Type
    string list
    Description

    URLs of requests made by the page (and assets loaded by the page).

    e.g. https://www.phish.domain/css/style.css

title: Example rule
description: |
    This should describe what the rule detects.
    You can use markdown syntax

# The level setting determines whether you'll be alerted
# about matches or if this site is just monitored for changes
level: likely_malicious

# This is where your rule logic lives
# It is formed of a set of properties and a condition
detection:
    propertyOne:
        html|contains: "a string"

    propertyTwo:
        requests|endswith: "/logo.png"

    # The condition combines the properties using and/or/not
    condition: propertyOne and not propertyTwo

Modifiers

  • contains
    contains
    Description

    True if the field contains the string.

  • startswith
    startswith
    Description

    True if the field starts with the string.

  • endswith
    endswith
    Description

    True if the field ends with the string.

  • all
    all
    Description

    Requires this matches all provided values, not just one.