I've developed a application rule to detect phishing attempt using fake LinkedIn site.
Don't hesitate to leave any suggestion or comment to enhance this app rule
[Scenario]
Attacker lure a user to click a fake LinkedIn link.
the fake web site looks like a legitimate linkedin login page
the user put his/her linkedin' ID/Password
Attacker get user's id and credential, redirect to original linkedin web site.
How to detect this attempt using SA application rule
I've used an app rule and SEARCH parser.
Rule name: LinkedIn phishing
Rule: extension='php' && match = 'LinkedIn','Linkedin','linkedin'
Dependancy: SEARCH parser
[LinkedIn]
Services=80
Keywords=LinkedIn;Linkedin;linkedin
Attachment:
fake linkedin log-in page: fake_linkedin.jpg
pcap sample: linkedinphishing.pcap###