I've developed a application rule to detect phishing attempt using fake LinkedIn site.
Don't hesitate to leave any suggestion or comment to enhance this app rule
Attacker lure a user to click a fake LinkedIn link.
the fake web site looks like a legitimate linkedin login page
the user put his/her linkedin' ID/Password
Attacker get user's id and credential, redirect to original linkedin web site.
How to detect this attempt using SA application rule
I've used an app rule and SEARCH parser.
Rule name: LinkedIn phishing
Rule: extension='php' && match = 'LinkedIn','Linkedin','linkedin'
Dependancy: SEARCH parser
fake linkedin log-in page: fake_linkedin.jpg
pcap sample: linkedinphishing.pcap###
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.