add Roblox phishing 🚀 (#252)

* Add files via upload * Update roblox-phishing-f254en7e.yml * Update and rename roblox-phishing-f254en7e.yml to roblox-phishing.yml * Edit and rename roblox-phishing.yml to roblox-phishing-8L0QMRN6 * Update and rename * Update roblox-phishing-8l0pamh6.yml Minor description and detection field names fixes * Update and rename roblox-phishing-8l0pamh6.yml to roblox-8l0pamh6.yml Fix rule filename --------- Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
phish-report · May 20, 2024 · e0754a5 · e0754a5
1 parent edd7cf8
commit e0754a5
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/indicators/roblox-8l0pamh6.yml b/indicators/roblox-8l0pamh6.yml
@@ -0,0 +1,33 @@
+title: Roblox Phishing Kit 8l0pamh6
+description: |
+    Detects Roblox phishing sites using a Roblox specific strings
+    within the DOM.
+    
+    Usually at /controlPage/create you can create a "Beaming link"
+    These are often spread through Discord to victims.
+references:
+  - https://www.youtube.com/watch?v=lUL2vgyhsw4
+  - https://urlscan.io/result/c716b820-174e-4211-9c09-4663b4a7e47d/
+  - https://urlscan.io/result/e76d7a2f-3e6d-455e-8da8-1a94ea6c222f/
+  - https://urlscan.io/result/f9ccb8a3-624b-4cb1-b237-36dd81cef6e3/
+  - https://urlscan.io/result/1a62439f-de11-4ee6-a0ed-9c482c0c1906/
+
+detection:
+
+    realDomains:
+        hostname|endswith:
+            - .roblox.com
+            - .rbxcdn.com
+
+    rbxBodyId:
+        dom|contains: body id="rbx-body"
+
+    rbxCDN:
+        dom|contains: rbxcdn
+
+
+    condition: rbxCDN and rbxBodyId and not realDomains
+
+tags:
+    - kit
+    - target.roblox