Kenny Kim

[Use case]LinkedIn phishing detection w/SA

Blog Post created by Kenny Kim Employee on Aug 24, 2016

I've developed a application rule to detect phishing attempt using fake LinkedIn site.

Don't hesitate to leave any suggestion or comment to enhance this app rule

 

[Scenario]

Attacker lure a user to click a fake LinkedIn link.

the fake web site looks like a legitimate linkedin login page

the user put his/her linkedin' ID/Password

Attacker get user's id and credential, redirect to original linkedin web site.

 

How to detect this attempt using SA application rule

I've used an app rule and SEARCH parser.

 

<App Rule>

Rule name: LinkedIn phishing

Rule: extension='php' && match = 'LinkedIn','Linkedin','linkedin'

 

Dependancy: SEARCH parser

 

<search.ini>

[LinkedIn]

Services=80

Keywords=LinkedIn;Linkedin;linkedin

 

Attachment:

fake linkedin log-in page: fake_linkedin.jpg

pcap sample: linkedinphishing.pcap###

Attachments

Outcomes