Sign in
Follow

ETPRO TROJAN Obfuscated Phishing Landing Feb 25

 IP AddressPortHostname
Source 205.234.175.175 (United States) http (80) vip1.g-anycast1.cachefly.net
Destination (local) 52526

 

Description:

  • This rule detects a specific sequence of java-script that is designed to obfuscate the content it displays. 
  • It is not unheard of, but rare that there are legitimate reasons to do this.

 

Is this a False Positive:

  • NO
  • URL leading to this landing page (this is a sketchy advertising network, try it a bunch of times and it will eventually land on the below content):
  • This is a valid detection. See below for the page that is rendered

 

Actions:

  • Alarm on phish attempt.
  • Verify no additional IDS, Netflow, Log entries related on same asset.  If there are, additional investigation required.

 

 

 

Comments

Powered by Zendesk