Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Kenny Kim

RSA NetWitness Platform

1 Post authored by: Kenny Kim Employee

I've developed a application rule to detect phishing attempt using fake LinkedIn site.

Don't hesitate to leave any suggestion or comment to enhance this app rule



Attacker lure a user to click a fake LinkedIn link.

the fake web site looks like a legitimate linkedin login page

the user put his/her linkedin' ID/Password

Attacker get user's id and credential, redirect to original linkedin web site.


How to detect this attempt using SA application rule

I've used an app rule and SEARCH parser.


<App Rule>

Rule name: LinkedIn phishing

Rule: extension='php' && match = 'LinkedIn','Linkedin','linkedin'


Dependancy: SEARCH parser








fake linkedin log-in page: fake_linkedin.jpg

pcap sample: linkedinphishing.pcap###

Filter Blog

By date: By tag: