Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create square-enix-ffxiv-gil-scam.yml #78

Merged
merged 3 commits into from
Aug 24, 2022
Merged

Create square-enix-ffxiv-gil-scam.yml #78

merged 3 commits into from
Aug 24, 2022

Conversation

pbellchambers
Copy link
Contributor

@pbellchambers pbellchambers commented Aug 24, 2022
edited
Loading

First time submitting here, I have some questions:

  1. The phishing kit is two separate pages (example below), is it ok to include them in a single definition like this?
    Examples:
    https://urlscan.io/result/654111fb-82ac-4973-880f-bbaec82694b9/
    https://urlscan.io/result/67b4fe92-f667-4201-a310-2cd2cf72af8a/
    https://urlscan.io/result/9e171326-b335-498c-a68f-63e1e16a4499/
    https://urlscan.io/result/e056ca66-5288-4fb6-8a47-06e03b0f1eba/

  2. The only identifier on the login page is a randomly generated form action php file which is not present on the real page. I can't see any way to identify this other than using regex. Does the detection here support using regex? If so, is the format I've used ok? I couldn't find any documentation on this.

Examples of the login page form action:
https://urlscan.io/result/67b4fe92-f667-4201-a310-2cd2cf72af8a/
https://urlscan.io/result/e056ca66-5288-4fb6-8a47-06e03b0f1eba/
https://urlscan.io/result/74eb3b52-bfea-495a-87a7-1561fdd61c0c/
https://urlscan.io/result/37ca2ce7-337a-4ad9-9979-902e06268042/

  1. Is there any way to test whether this definition works in advance of it being merged?

@bradleyjkemp
Copy link
Member

Hey Paul, thanks for the rule 💙

To answer your questions:

  1. Yeah I think it's good to have these two pages as a single rule: they're part of the same kit so makes sense
  2. In general regex would definitely the way to do this 👍🏻 Unfortunately sigma-go doesn't yet support evaluating regex so this wouldn't work just yet
  3. I'm planning to add a web debugger/IDE but for now there's a CLI tool in the repo you can use. Your rule seems to work!
➜  IOK git:(178e36a) go run ./tools/urlscan-iok/urlscan-iok.go --uuid 654111fb-82ac-4973-880f-bbaec82694b9
Matching indicators:
  * Square Enix FFXIV Gil Phishing Kit https://phish.report/IOK/indicators/square-enix-ffxiv-gil-scam

@pbellchambers
Copy link
Contributor Author

Thanks for the reply, the CLI tool was helpful!

I've updated this as I realised the real login page doesn't have any .php form submit, and also doesn't have the One-Time Password on the same page, so it's possible to identify without using regex.

Tested successfully with matches against the following phishing pages:
f2508472-4dca-45da-ace4-02e80be5e1f7
e758276f-cf98-4b3d-947e-5aa6fe65bbac
654111fb-82ac-4973-880f-bbaec82694b9
67b4fe92-f667-4201-a310-2cd2cf72af8a

Tested with no matches against the real pages:
0970de9e-51c9-49f6-88e3-b40bf20dc747
503f6aad-34d7-4f18-ae71-908bfe32524b
e608e694-e245-494e-84cd-131db304ca69

@bradleyjkemp bradleyjkemp merged commit 9f242d7 into phish-report:main Aug 24, 2022
@bradleyjkemp
Copy link
Member

bradleyjkemp commented Aug 24, 2022
edited
Loading

And it's live 🎉 https://phish.report/IOK/indicators/square-enix-ffxiv-gil-scam

Thanks again for the rule. I've got some stickers that'll be available for contributors at some point (once I've figured out shipping)

@pbellchambers pbellchambers deleted the square_enix branch August 24, 2022 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pbellchambers @bradleyjkemp