Hotloaded Assets

title: Hotloaded Assets description: | Phishers often create their kits by cloning the website of the brand they're targeting. Their goal is a perfectly standalone phishing kit, but the process is rarely perfect and so assets are often still loaded from the original source. We can use this to find sites which are likely the result of cloning. level: likely_malicious detection: loadsFromCoinbase: # Write a matcher here for files loaded from https://login.coinbase.com/static/ requests: '🤔' realCoinbase: # Write a matcher here match any real coinbase.com domain hostname: '🤔' condition: loadsFromCoinbase and not realCoinbase

Rule matches

Quick Reference

IOK rules allow you to detect (potential/likely/confirmed) phishing sites by matching on various properties of the website like the text on the page, the cookies set, and the filenames of the assets loaded.

Fields

  • Hostname
    hostname
    Type
    string
    Description

    The hostname of the site.

    e.g. www.phish.domain

  • Title
    title
    Type
    string list
    Description

    The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains all of them.

    e.g. Login | My Bank

  • HTML
    html
    Type
    string
    Description

    The contents of the page HTML (as returned by the server).

    e.g. <html><head>....</html>

  • DOM
    dom
    Type
    string
    Description

    The contents of the page HTML after loading (e.g. after javascript has executed and modified the page).

    e.g. <html><head>....</html>

  • JS
    js
    Type
    string list
    Description

    Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally).

    e.g. !function(e,t){"object"==typeof module&&

  • CSS
    css
    Type
    string list
    Description

    Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)

    e.g. .redTitle {color: red;}

  • Cookies
    cookies
    Type
    string list
    Description

    Cookies from the page. Each is in the form cookieName=value

    e.g. PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

  • Headers
    headers
    Type
    string list
    Description

    Headers sent by the server. Each is in the form Header-Name: value

    e.g. X-Powered-By: PHP/7.4.33

  • Requests
    requests
    Type
    string list
    Description

    URLs of requests made by the page (and assets loaded by the page).

    e.g. https://www.phish.domain/css/style.css

title: Example rule
description: |
    This should describe what the rule detects.
    You can use markdown syntax

# The level setting determines whether you'll be alerted
# about matches or if this site is just monitored for changes
level: likely_malicious

# This is where your rule logic lives
# It is formed of a set of properties and a condition
detection:
    propertyOne:
        html|contains: "a string"

    propertyTwo:
        requests|endswith: "/logo.png"

    # The condition combines the properties using and/or/not
    condition: propertyOne and not propertyTwo

Modifiers

  • contains
    contains
    Description

    True if the field contains the string.

  • startswith
    startswith
    Description

    True if the field starts with the string.

  • endswith
    endswith
    Description

    True if the field ends with the string.

  • all
    all
    Description

    Requires this matches all provided values, not just one.