Kenny Kim

[Use case]LinkedIn phishing detection w/SA

Blog Post created by Kenny Kim Employee on Aug 24, 2016

I've developed a application rule to detect phishing attempt using fake LinkedIn site.

Don't hesitate to leave any suggestion or comment to enhance this app rule



Attacker lure a user to click a fake LinkedIn link.

the fake web site looks like a legitimate linkedin login page

the user put his/her linkedin' ID/Password

Attacker get user's id and credential, redirect to original linkedin web site.


How to detect this attempt using SA application rule

I've used an app rule and SEARCH parser.


<App Rule>

Rule name: LinkedIn phishing

Rule: extension='php' && match = 'LinkedIn','Linkedin','linkedin'


Dependancy: SEARCH parser








fake linkedin log-in page: fake_linkedin.jpg

pcap sample: linkedinphishing.pcap###