🚀 Create IOK: facebook-pl-5b1aed4d

[IlluminatiFish]

🟢 Additions:

• Add facebook-pl-5b1aed4d

[LightningDev23]

Hi IlluminatiFish, this seems like a great kit to detect these types of phishing sites.

I did some testing with your current rule and did not find any false positives - that's a good thing haha.

I would suggest to make one change by adding if the page has the request of the Facebook logo from Wikimedia (https://upload.wikimedia.org/wikipedia/commons/thumb/5/51/Facebook_f_logo_%282019%29.svg/2048px-Facebook_f_logo_%282019%29.svg.png). All of these sites have this request loaded. Adding this would help verify that a site is a type of Facebook phishing. Only having the YouTube video does not seem the best this rule could be. I hope you can get what I'm saying.

IOK Rule with these changes:

title: facebook-pl-5b1aed4d
description: |
  A phishing kit using fake and alarming
  news articles to trick users into
  giving away their Facebook login 
  credentials.
level: potentially_malicious
references:
  - https://urlscan.io/result/5b1aed4d-e436-4849-8c76-9ff9a6638902
  - https://urlscan.io/result/0a95517f-9263-46d0-82ab-8c52bb40b13d

detection:

  embeddedVideo:
    requests|contains: 'https://www.youtube.com/embed/3rH4-ib6IxQ'

  facebookLogo:
    requests|contains: 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/51/Facebook_f_logo_%282019%29.svg/2048px-Facebook_f_logo_%282019%29.svg.png'

  condition: embeddedVideo and facebookLogo

tags:
  - target_country.poland
  - target.facebook

[IlluminatiFish]

Hi IlluminatiFish, this seems like a great kit to detect these types of phishing sites.

I did some testing with your current rule and did not find any false positives - that's a good thing haha.

I would suggest to make one change by adding if the page has the request of the Facebook logo from Wikimedia (https://upload.wikimedia.org/wikipedia/commons/thumb/5/51/Facebook_f_logo_%282019%29.svg/2048px-Facebook_f_logo_%282019%29.svg.png). All of these sites have this request loaded. Adding this would help verify that a site is a type of Facebook phishing. Only having the YouTube video does not seem the best this rule could be. I hope you can get what I'm saying.

IOK Rule with these changes:

title: facebook-pl-5b1aed4d
description: |
  A phishing kit using fake and alarming
  news articles to trick users into
  giving away their Facebook login 
  credentials.
level: potentially_malicious
references:
  - https://urlscan.io/result/5b1aed4d-e436-4849-8c76-9ff9a6638902
  - https://urlscan.io/result/0a95517f-9263-46d0-82ab-8c52bb40b13d

detection:

  embeddedVideo:
    requests|contains: 'https://www.youtube.com/embed/3rH4-ib6IxQ'

  facebookLogo:
    requests|contains: 'https://upload.wikimedia.org/wikipedia/commons/thumb/5/51/Facebook_f_logo_%282019%29.svg/2048px-Facebook_f_logo_%282019%29.svg.png'

  condition: embeddedVideo and facebookLogo

tags:
  - target_country.poland
  - target.facebook

If I recall correctly, not all of the phishing pages load their Facebook logo externally some host the logo image file itself internally. Thus the omission of this URL, and pure reliance on the embedded video found.