From 6ebc8ddf601fde2659d796c179b29cd48c7302a2 Mon Sep 17 00:00:00 2001
From: w00dbury <28681716+w00dbury@users.noreply.github.com>
Date: Sat, 2 Dec 2023 08:45:29 -0800
Subject: [PATCH 1/3] :rocket: Created navyfederal-7fh9xqpk
Detect Navy Federal bank phishing kit
---
indicators/navyfederal-7fh9xqpk.yml | 30 +++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 indicators/navyfederal-7fh9xqpk.yml
diff --git a/indicators/navyfederal-7fh9xqpk.yml b/indicators/navyfederal-7fh9xqpk.yml
new file mode 100644
index 00000000..9ae20f12
--- /dev/null
+++ b/indicators/navyfederal-7fh9xqpk.yml
@@ -0,0 +1,30 @@
+title: Navy Federal Credit Union Phishing Kit 7fh9xqpk
+description: |
+ Navy Federal Credit Union phishing kit cloned with Save Page WE.
+ The kit uses the obfuscated function `_f0` to send credentials to a telegram chat.
+ Save Page WE is a chrome extension used by phishers to clone a target website and save it as a single HTML file
+
+references:
+ - https://urlscan.io/result/0b9420f8-5aa2-442f-9e0c-ec3813aaea2a
+ - https://urlscan.io/result/65e0bb5b-76f0-45a1-a60f-af9971ea83ca
+
+related:
+ - id: savepage-we
+
+detection:
+ title:
+ html|contains: "Navy Federal Credit Union - Our Members are the Mission®"
+
+ cssComment:
+ html|contains: "/*savepage-url="
+
+ javascript:
+ js|contains|all:
+ - "sendEmail"
+ - "function _f0"
+
+ condition: all of them
+
+tags:
+ - kit
+ - target.navyfederal
\ No newline at end of file
From ce927f055c07aa937d4b07fbd379b6f21c17e6c5 Mon Sep 17 00:00:00 2001
From: w00dbury <28681716+w00dbury@users.noreply.github.com>
Date: Sat, 2 Dec 2023 09:36:10 -0800
Subject: [PATCH 2/3] :sparkles: Updated navyfederal-7fh9xqpk
---
indicators/navyfederal-7fh9xqpk.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/indicators/navyfederal-7fh9xqpk.yml b/indicators/navyfederal-7fh9xqpk.yml
index 9ae20f12..d758b51f 100644
--- a/indicators/navyfederal-7fh9xqpk.yml
+++ b/indicators/navyfederal-7fh9xqpk.yml
@@ -13,10 +13,10 @@ related:
detection:
title:
- html|contains: "Navy Federal Credit Union - Our Members are the Mission®"
+ title|contains: "Navy Federal Credit Union - Our Members are the Mission®"
- cssComment:
- html|contains: "/*savepage-url="
+ cloned:
+ dom|contains: "Thu Mar 25 2021 16:38:13 GMT+0300 (East Africa Time)"
javascript:
js|contains|all:
From ae1099cd809aba8767d67a925e09037ee1f1123d Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Sat, 2 Dec 2023 17:57:59 +0000
Subject: [PATCH 3/3] =?UTF-8?q?=E2=9C=A8Update=20navyfederal-7fh9xqpk?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
indicators/navyfederal-7fh9xqpk.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/indicators/navyfederal-7fh9xqpk.yml b/indicators/navyfederal-7fh9xqpk.yml
index d758b51f..f7011cd8 100644
--- a/indicators/navyfederal-7fh9xqpk.yml
+++ b/indicators/navyfederal-7fh9xqpk.yml
@@ -12,8 +12,8 @@ related:
- id: savepage-we
detection:
- title:
- title|contains: "Navy Federal Credit Union - Our Members are the Mission®"
+ pageTitle:
+ title: "Navy Federal Credit Union - Our Members are the Mission®"
cloned:
dom|contains: "Thu Mar 25 2021 16:38:13 GMT+0300 (East Africa Time)"
@@ -27,4 +27,4 @@ detection:
tags:
- kit
- - target.navyfederal
\ No newline at end of file
+ - target.navyfederal