This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[Use case]LinkedIn phishing detection w/SA

KennyKim
Occasional Contributor
Occasional Contributor
‎2016-08-24 08:20 PM

I've developed a application rule to detect phishing attempt using fake LinkedIn site.

Don't hesitate to leave any suggestion or comment to enhance this app rule

 

[Scenario]

Attacker lure a user to click a fake LinkedIn link.

the fake web site looks like a legitimate linkedin login page

the user put his/her linkedin' ID/Password

Attacker get user's id and credential, redirect to original linkedin web site.

 

How to detect this attempt using SA application rule

I've used an app rule and SEARCH parser.

 

<App Rule>

Rule name: LinkedIn phishing

Rule: extension='php' && match = 'LinkedIn','Linkedin','linkedin'

 

Dependancy: SEARCH parser

 

<search.ini>

[LinkedIn]

Services=80

Keywords=LinkedIn;Linkedin;linkedin

 

Attachment:

fake linkedin log-in page: fake_linkedin.jpg

pcap sample: linkedinphishing.pcap###

linkedinphishing.pcap.zip
linkedinphishing.pcap.zip
© 2022 RSA Security LLC or its affiliates. All rights reserved.