IOK Rules

Shopify phishing kit 45ca55e3

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

VyStar Credit Union Phishing Kit 084ea74

Detects a phishing kit targeting customers, of the VyStar Credit Union.

Office 365 Phishing Kit l03TtM

Detects a phishing kit targeting Office 365 using a fake login form. It doesn't attempt to visually mimic the official login pages, allowing it to evade common detection engines.

Okta ("0ktapus"/"Scatter Swine") phishing kit

Okta is a Single Sign-On (SSO) provider used by many enterprises and this phishing kit targets those enterprises. It aims to steal the victim's email address, SSO password, and MFA details. To decrease victim's suspicion this kit (like many) includes details specific to the targeted company e.g. their name and logo. However, unlike similar kits, this is hardcoded per instance of the phishing site and isn't dynamic based on the victim's email. ![Screenshot of one of these camouflaged Okta phishing kits (in this case, actually targeting Okta's own employees). [Via urlscan.io](https://urlscan.io/result/63fc7edd-116c-4128-a934-8ad6c9ad76e2/)](/static/63fc7edd-116c-4128-a934-8ad6c9ad76e2-BIDTSTDO.png) The same frontend code (HTML, CSS, and JS) is deployed regardless of the company being targeted, but the company name and logo is provided by the C2 server. ### Capabilities From analysing the code it appears this kit is set up to: * Steal email address and password * Capture MFA codes * Push the download of a (trojanized?) remote desktop tool `AnyDesk.exe` ### Timeline So far, the earliest observed appearance of this campaign was on July 1st ([urlscan.io](https://urlscan.io/result/4125359d-3fea-4161-b0a9-bed1e3c04e16)). This is a slightly earlier version of the phishing kit (referencing slightly different JS files) and was last seen on July 13th. The more recent version of the kit (using the JS filenames referenced in this rule) was first observed on [July 17th](https://urlscan.io/result/0c7aba52-edf4-4280-9bc5-783fb8c93d87/). ### Attack Infrastructure Unlike many less sophisticated kits, this isn't deployed on a PHP hosting provider but is instead deployed on virtual machines (usually provided by Digital Ocean or Vultr). * Frontend assets (HTML/JS/CSS) are loaded from the domain itself * The config (for example, which logo to display) is loaded from a separate, non-HTTPS endpoint hosted on port 8080 on the same server ```mermaid graph LR subgraph C2[Attack Infrastructure] Domain[Lookalike Domain] --> IP[Server IP] end Browser[Victim's Browser] -->|Load frontend: GET https://domain| Domain Browser -->|Fetch name and logo: GET http://ip:8080/api/app/settings| IP ``` Most infrastructure is unique to each attack but there's occasionally some crossover: * [45[.]63[.]39[.]151](https://urlscan.io/ip/45.63.39.151) has been seen targeting multiple companies. * [mailchimp-help[.]com](https://urlscan.io/domain/mailchimp-help.com) has been observed targeting multiple companies.

Shopify phishing kit NCv2F

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

Instagram Appeal Phishing Kit 510EMm

Detects a phishing kit targeting Instagram by impersonating Instagram staff and tricking the user into filling out a fake appeal form.

Banco de la República (eBROU) Phishing Kit g5d6u78z

Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit. Deployed often on `replit.com`.

Facebook Appeal Form Phishing Kit 91f3caf

Detects a fake Facebook appeal form, that phishes for credentials, the kit was designed by an Arabic-speaking threat actor.

Facebook Phishing Kit 83d65db

Detects a Facebook phishing kit created by an Indonesian threat actor, that uses the disguise of a victim's account being restricted and requires them to login again.

Banco Promerica Phishing Kit ef73ish1

Detects a Banco Promerica phishing kit with images and form action URL that only appear in this kit. Deployed often on `replit.com`.

Bancolombia Phishing Kit GM866x

Detects a phishing kit targeting Bancolombia with a simple centered login form. This was detected as a result of this kit being deployed on Replit.

Fake crypto giveaway coin selection b791myo4

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. Sometimes the scammer will pick a specific cryptocurrency to target, but in this case they decided to add a menu where the user can select a specific coin.

Unibank Phishing Kit NJdEmH

Detects a phishing kit targeting Unibank. Unibank is one of the largest private banks established in Azerbaijan. Threat actors working with this phishing kit appear to be coming from Ukraine (EVEREST AS49223).

Minecraft Phishing Kit 85f1cdf0

Detects a Minecraft phishing kit that's being spread through Discord

Cryptocurrency Giveaway wjUTKJ

Detects a fake cryptocurrency giveaway impersonating Elon Musk and promising to send back dobule (BTC, ETH, DOGE) that you send to the attacker's wallet. Distributed through Twitter phishing accounts.

Bank of America Phishing Kit kgzRkD

Detects a phishing kit targeting Bank of America. This kit is already detected by Urlscan. Found as a result of it being deployed on Replit.

Credicorp Bank Phishing Kit tGeBlg

Detects a phishing kit targeting Credicorp Bank. This was found as a result of this kit being deployed on Replit.

Shopify phishing kit YgjX6

Shopify phishing kit containing a high-entropy CSP nonce which should be a high quality indicator.

Ark Investment Crypto Phishing Kit 3465f6c

Detects a crypto phishing kit using Ark Investment as proof of the giveaway being legitmate, this kit also uses people like Elon Musk to lure victims.

Instragram Copyright Phishing Kit kVRJSB

Detects a phishing kit targeting Instagram (Meta) by tricking users into filling out a fake copyright appeal form. Threat actors observed in: - Turkey 🇹🇷 (TT_MOBIL 20978; TTNET 9121; TURKCELL-AS 16135; VODAFONETURKEY 15897) - France 🇫🇷 (SECFIREWALLAS 206092)

Microsoft Phishing Kit b3fcc7b

Detects a Microsoft phishing kit targeting Spanish speaking users.

Bancolombia Phishing Kit ZLbZ6V

Detects a phishing kit targeting Bancolombia. This was found as a result of this kit being deployed on Replit.

Shopify phishing kit f7ejw

Shopify phishing kit containing a high-entropy CSRF token (and a CSP nonce!) which should be a high quality indicator.

Banco de Crédito del Perú (BCP) Phishing Kit XEjFkd

Detects a phishing kit targeting Banco de Crédito del Perú (BCP). BCP is the largest bank in Peru. This was found as a result of this kit being deployed on Replit.

Banco de Galicia Phishing Kit 2mO4SF

Detects a phishing kit targeting Banco de Galicia. The threat actor operates from Argentina itself.

Daviplata Phishing Kit jwL1yd

Detects a phishing kit targeting Daviplata - a digital platform for making electronic transactions and payments using a mobile phone. Owned by Davivienda, a financial services company based in Colombia. This was found as a result of this kit being deployed on Replit.

Visa Phishing Kit dff000d

Detects a Visa phishing kit, that makes it seem as if the victim is purchasing something from Aramex, likely targets citizens of the UAE.

"Validate your account" countdown timer

This phishing kit (reported on by Cofense in 2022, but first seen on urlscan.io in 2018) has a live countdown until a user's email is supposedly "deleted from our server".

Instagram Phishing Kit Ag0sOJ

Detects a phishing kit targeting Instagram. Talks to "hizliresim.com" to fetch an image. Commonly deployed on Freenom domains.

Instagram Phishing Kit TPEXkd

Detects a phishing kit targeting Instagram. Commonly deployed on Freenom domains.

Shopify phishing kit 89NDeg

Shopify phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Banco de la Nación Phishing Kit 0blz45du

Detects a Banco de la Nación phishing kit using a form action URL and a button ID that only appear in this kit. Deployed often on `replit.com`.

Etherscan Crypto Phishing Kit 253344b

Detects a phishing kit targeting users of Etherscan.

123 Reg phishing kit 63c26

123 Reg phishing kit containing a high-entropy CSRF token which should be a high quality indicator.

Twitter Phishing Kit 91a19aa

Detects a phishing kit developed by a Turkish actor targeting users of Twitter.

Credicard Phishing Kit 7246c9c

Detects a Credicard phishing kit created by an Portuguese threat actor.

Amerant Bank Phishing Kit 4TfEvG

Detects a phishing kit targeting Amerant Bank. This was found as a result of this kit being deployed on Replit.

Exodus Wallet Phishing Kit

Detects a Exodus Wallet cryptocurrency wallet drainer that includes a function to validate the BIP39 recovery phrase entered.

Massachusetts UI Online Application 5hGwWB

Detects a phishing kit impersonating the Massachusetts Unemployment Insurance (UI) Online Application available at uionline.detma.org in an attempt to steal sensitive personal information from the victims. This was found as a result of this kit being deployed on Replit.

Banco Santa Fe Phishing Kit

Detects a phishing kit targeting Banco Santa Fe. This was found as a result of this kit being deployed on Replit.

Shopify phishing kit c546c6a9

Shopify phishing kit containing a high-entropy device identifier which should be a high quality indicator.

Bank of America Phishing Kit a53b161

Detects a Bank of America phishing kit.

Facebook Appeal Phishing Kit lf46pH

Detects a phishing kit targeting Facebook by tricking users into filling out a fake Community Standards violation appeal form.

UOL Mail Phishing Kit 6xm0cU

Detects a phishing kit targeting UOL Mail. UOL is a Brazilian content, digital services and technology company.

Facebook Copyright Phishing Kit XpkqU8

Detects a phishing kit targeting Facebook (Meta) by displaying a fake copyright infringement appeal form and tricking the user into giving away their credentials. This has over 600 hits on Urlscan. Threat actors observed in: - United States 🇺🇸 (BELLSOUTH-NET-BLK 6389; ASN-CXA-ALL-CCI-22773-RDC 22773; CDNEXT 212238)

Square Enix FFXIV Gil Phishing Kit

Detects a phishing kit targeting square-enix.com with a fake FFXIV forum gil giveaway. Phishing kit consists of two pages, a forum page and a login page.

Amazon Token Cryptocurrency Scam SHFXgk

Detects a cyptocurrency phishing kit targeting Amazon. It claims to offer an Amazon (AMZ) token pre-sale and leads to an exchange where you can swap cryptocurrencies for this fake token. This was found as a result of this kit being deployed on Replit.

Nuevo Banco del Chaco Phishing Kit ri0z68ca

Detects a Nuevo Banco del Chaco phishing kit using a form action URL and a CSRF token that only appears in this kit. Deployed often on replit.com.

Camouflaged Okta kit (old)

An older version of the Okta phishing kit [described here](https://phish.report/IOK/indicators/okta-5844ad4)

1Password phishing kit - 191635

1Password phishing kit cloned from the legitimate `1password.com` login page using Save Page WE. The first detection was on August 16th although evidence in the kit (the Save Page WE `savepage-date` timestamp) suggests it was created August 11th. Like many similar phishing kit, credentials are posted to `send.php` and then the victim is redirected to the `1password.com` login form.

Bancolombia Phishing Kit jr5mnv

Detects a phishing kit targeting Bancolombia. This was found as a result of this kit being deployed on Replit.