""ET CURRENT_EVENTS Successful Citibank Phish Landing Page""

SID: 2034397

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, signature_severity Major, updated_at 2021_11_09

Reference:

  • md5

  • 52f9a1141716b47fba9fdbb94f7ddb31

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: "200"

  • Value: "Citibank Online"

  • Value: "form|20|name|3d 22|undefined|22|"

  • Value: "|2e|php|3f|sessionid"

  • Value: "|26|sslchannel|3d|true|22 20|method|3d 22|POST|22|"

Within:

PCRE:

Special Options:

  • http_stat_code

  • file_data

  • nocase

  • fast_pattern

source