""ET CURRENT_EVENTS Successful Generic 000webhost Phish 2018-09-27""

SID: 2052143

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, signature_severity Critical, tag Phishing, updated_at 2024_04_18, former_sid 2832846, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: "200"

  • Value: "{|22|FormResponse|22 3a 20|{|22|success|22 3a 20|true,|20 22|redirect|22 3a 20 22|" Depth: 48

Within:

PCRE: "/^(?:https?\x3a\/\/)?(?:www.)?(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq).com|i(?:n(?:t(?:ertekgroup.org|uit.com)|vestorjunkie.com|g.(?:be|nl))|c(?:icibank.com|scards.nl)|mpots.gouv.fr|rs.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel).com|om(?:mbank.com.au|cast.net)|redit-agricole.fr)|b(?:a(?:nkofamerica.com|rclays.co.uk)|(?:igpond|t).com|luewin.ch)|o(?:(?:utlook|ffice).com|range.(?:co.uk|fr)|nline.hmrc.gov.uk)|s(?:(?:(?:aatchiar|untrus)t|c).com|ecure.lcl.fr|parkasse.de)|h(?:a(?:lifax(?:-online)?.co.uk|waiiantel.net)|otmail.com)|p(?:(?:rimelocation|aypal).com|ostbank.de)|l(?:i(?:nkedin|ve).com|abanquepostale.fr)|we(?:llsfargo.com|stpac.co.nz)|etisalat.ae)\/?/Ri"

Special Options:

  • http_stat_code

  • file_data

  • nocase

  • fast_pattern

source