Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Kenny Kim

RSA NetWitness Platform

1 Post authored by: Kenny Kim Employee

I've developed a application rule to detect phishing attempt using fake LinkedIn site.

Don't hesitate to leave any suggestion or comment to enhance this app rule

 

[Scenario]

Attacker lure a user to click a fake LinkedIn link.

the fake web site looks like a legitimate linkedin login page

the user put his/her linkedin' ID/Password

Attacker get user's id and credential, redirect to original linkedin web site.

 

How to detect this attempt using SA application rule

I've used an app rule and SEARCH parser.

 

<App Rule>

Rule name: LinkedIn phishing

Rule: extension='php' && match = 'LinkedIn','Linkedin','linkedin'

 

Dependancy: SEARCH parser

 

<search.ini>

[LinkedIn]

Services=80

Keywords=LinkedIn;Linkedin;linkedin

 

Attachment:

fake linkedin log-in page: fake_linkedin.jpg

pcap sample: linkedinphishing.pcap###

Filter Blog

By date: By tag: