######## NOTE: amazon excluded from regular expression
full __FS_PHISH_VICTIM_URL_FULL m{<a[\s\n]+(?:[^\s<>]+[\s\n]+)?href=("?)([^\"<>]+)\1(?:[\s\n]+[^\s\n<>]+)*[\s\n]*>(?:[\s\n]*<(font|span)[^<>]+>)?[\n\s]*(?!\2)https?://(?:[^/.]+\.){0,2}?(?:<!-- [^<>]+ -->)?((paypal|ebay(?:rtm|static)?|ban(?:corpsouth(?:online)?|k(?:one|of(?:america|castile|oklahoma|thewest))|gor)|onlinebankofamerica|sbbt|(?:02|o2|pc)bancorp|b(?:bkonline|ok)|(af|bhf-|comfed|household|northfork|royal|stfrancis|tcf|us)bank|rb(?:c|sdigital)|ameritrade|citi(?:bank|businessonline|group|financial|zens(bank(online)?)?)?|skyfi|star|wamu|paypai|providian(?:services)?|f(?:lagstar|ult(on(bank|financialadvisors)?)?)|unionplanters|elizfed|regions(?:bank|net)?|cha(rterone|se)|lasalle(bank)?|nation(?:al-?city|et)|(?:capital|golden)(?:1|one)|cnb(?:wax)?|(?:(?:aa|cc)f|uofu)cu|w(?:achovia|ells-?fargo|f|esternunion)|e-gold|mastercard|visa|schwab|e(?:bay2|gg|passporte)|(?:columbusbankand|s(?:outh|un))trust|lloydstsb|hsbc(?:-us)?|mbna(?:netaccess)?|53|barclays|first(merit|tennessee)|ohiosavings|peoples|comerica|downey(?:savings)?|(?:machias?)savings|an(?:btx|z)|iblogin|(?:key|pnc|midamerica)(?:bank)?|gesa|fundsxpress|creditunion|dell|symantec)\.com|(?:mbna|paypal)\.us|(?:desjardins|bmo|cibc|canadianimperial|td(?:bank|canadatrust)?|scotiabank)\.(?:com|ca)|(?:paypal|ebay)\.ca|(?:ebay|hvb|vr-networld|(?:d(?:eutsche|resdner)-|post|volks|hypovereins)bank|sparkasse|paypal)\.de|abb-bvb\.be|sparkasse\.at|(ebay|fineco|sella)\.it|(?:(?:banc|grup)o)?santander\.(?:com\.(?:es|mx)|com|es)|banesto\.es|nordea\.(se|fi)|(enskilda|seb(ank)?)\.se|alpha\.gr|(?:alliance-leicester|ba(?:nkofscotland|rclays)|halifax(?:-online)?|hsbc|lloyds(?:tsb)?|nationwide|rbs|(?:co-operative|sainsburys)bank)\.co\.uk|standardbank\.co\.za|trademe\.co\.nz|(?:ebay|c(?:iti|omm)bank|national)\.com\.au|bradesco\.com\.br|(?:ncua|irs)\.gov|(?:a(?:mericaneagle|laskausa)|n(?:afcu(?:net)?|nleague)|redcross|mtnamerica|(?:(?:3rivers|ca|lacap|paragon|visions)f|(?:argonn|dupag|td)e|msg|nym|uofu)cu|un(icef)?)\.org)(?:[/?&][^<>]*)?<}i
meta FS_PHISH_VICTIM_URL __FS_PHISH_VICTIM_URL_FULL || __FS_PHISH_VICTIM_URL_BODY
describe FS_PHISH_VICTIM_URL Phish: URL displays victim.tld but links elsewhere
score FS_PHISH_VICTIM_URL 9
# rule: FS_PHISH_VICTIM_URL_TITLE
# added 2006-02-13
# test: ######## TODO: provide sample
######## FIXME: handle case where title attribute follows after href attrib
# temp: /var/tmp/phish-amazon-too.msg
full FS_PHISH_VICTIM_URL_TITLE m{<a\s+(?:[^\s<>]+\s+)?\s+title="?(?!\2)https?://(?:[^/.]+\.){0,2}?((paypal|ebay(?:rtm|static)?|ban(?:corpsouth(?:online)?|k(?:one|of(?:america|castile|oklahoma|thewest))|gor)|onlinebankofamerica|sbbt|(?:02|o2|pc)bancorp|b(?:bkonline|ok)|(af|bhf-|comfed|household|northfork|royal|stfrancis|tcf|us)bank|rb(?:c|sdigital)|ameritrade|citi(?:bank|businessonline|group|financial|zens(bank(online)?)?)?|skyfi|star|wamu|paypai|providian(?:services)?|f(?:lagstar|ult(on(bank|financialadvisors)?)?)|unionplanters|elizfed|regions(?:bank|net)?|cha(rterone|se)|lasalle(bank)?|nation(?:al-?city|et)|(?:capital|golden)(?:1|one)|cnb(?:wax)?|(?:(?:aa|cc)f|uofu)cu|w(?:achovia|ells-?fargo|f|esternunion)|e-gold|mastercard|visa|schwab|e(?:bay2|gg|passporte)|(?:columbusbankand|s(?:outh|un))trust|lloydstsb|hsbc(?:-us)?|mbna(?:netaccess)?|53|barclays|first(merit|tennessee)|ohiosavings|peoples|comerica|downey(?:savings)?|(?:machias?)savings|an(?:btx|z)|iblogin|(?:key|pnc|midamerica)(?:bank)?|gesa|fundsxpress|creditunion|amazon|dell|symantec)\.com|(?:mbna|paypal)\.us|(?:desjardins|bmo|cibc|canadianimperial|td(?:bank|canadatrust)?|scotiabank)\.(?:com|ca)|(?:paypal|ebay)\.ca|(?:ebay|hvb|vr-networld|(?:d(?:eutsche|resdner)-|post|volks|hypovereins)bank|sparkasse|paypal)\.de|abb-bvb\.be|sparkasse\.at|(ebay|fineco|sella)\.it|(?:(?:banc|grup)o)?santander\.(?:com\.(?:es|mx)|com|es)|banesto\.es|nordea\.(se|fi)|(enskilda|seb(ank)?)\.se|alpha\.gr|(?:alliance-leicester|ba(?:nkofscotland|rclays)|halifax(?:-online)?|hsbc|lloyds(?:tsb)?|nationwide|rbs|(?:co-operative|sainsburys)bank)\.co\.uk|standardbank\.co\.za|trademe\.co\.nz|(?:ebay|c(?:iti|omm)bank|national)\.com\.au|bradesco\.com\.br|(?:ncua|irs)\.gov|(?:a(?:mericaneagle|laskausa)|n(?:afcu(?:net)?|nleague)|redcross|mtnamerica|(?:(?:3rivers|ca|lacap|paragon|visions)f|(?:argonn|dupag|td)e|msg|nym|uofu)cu|un(icef)?)\.org)(?:[/?&][^<>"]*)?(?:\s+[^\s<>]+)?href="?([^\"]+)["\s>]}i
uri FS_PHISH_VICTIM_URL_TAIL m{^https?://(?:[^/.:]+\.){0,2}?(?![^/.:]+\.(?:com|org)\.[a-z]{2})((paypal|ebay|ban(?:corpsouth(?:online)?|k(?:one|of(?:america|castile|oklahoma|thewest))|gor)|onlinebankofamerica|sbbt|(?:02|o2|pc)bancorp|b(?:bkonline|ok)|(af|bhf-|comfed|household|northfork|royal|stfrancis|tcf|us)bank|rb(?:c|sdigital)|ameritrade|citi(?:bank|businessonline|group|financial|zens(bank(online)?)?)?|skyfi|star|wamu|paypai|providian(?:services)?|f(?:lagstar|ult(on(bank|financialadvisors)?)?)|unionplanters|elizfed|regions(?:bank|net)?|cha(rterone|se)|lasalle(bank)?|nation(?:al-?city|et)|(?:capital|golden)(?:1|one)|cnb(?:wax)?|(?:(?:aa|cc)f|uofu)cu|w(?:achovia|ells-?fargo|f|esternunion)|e-gold|mastercard|visa|schwab|e(?:bay2|gg|passporte)|(?:columbusbankand|s(?:outh|un))trust|lloydstsb|hsbc(?:-us)?|mbna(?:netaccess)?|53|barclays|first(merit|tennessee)|ohiosavings|peoples|comerica|downey(?:savings)?|(?:machias?)savings|an(?:btx|z)|iblogin|(?:key|pnc|midamerica)(?:bank)?|gesa|fundsxpress|creditunion|amazon|dell|symantec)\.com|(?:mbna|paypal)\.us|(?:desjardins|bmo|cibc|canadianimperial|td(?:bank|canadatrust)?|scotiabank)\.(?:com|ca)|(?:paypal|ebay)\.ca|(?:ebay|hvb|vr-networld|(?:d(?:eutsche|resdner)-|post|volks|hypovereins)bank|sparkasse|paypal)\.de|abb-bvb\.be|sparkasse\.at|(ebay|fineco|sella)\.it|(?:(?:banc|grup)o)?santander\.(?:com\.(?:es|mx)|com|es)|banesto\.es|nordea\.(se|fi)|(enskilda|seb(ank)?)\.se|alpha\.gr|(?:alliance-leicester|ba(?:nkofscotland|rclays)|halifax(?:-online)?|hsbc|lloyds(?:tsb)?|nationwide|rbs|(?:co-operative|sainsburys)bank)\.co\.uk|standardbank\.co\.za|trademe\.co\.nz|(?:ebay|c(?:iti|omm)bank|national)\.com\.au|bradesco\.com\.br|(?:ncua|irs)\.gov|(?:a(?:mericaneagle|laskausa)|n(?:afcu(?:net)?|nleague)|redcross|mtnamerica|(?:(?:3rivers|ca|lacap|paragon|visions)f|(?:argonn|dupag|td)e|msg|nym|uofu)cu|un(icef)?)\.org)\.(?![a-z]{2}[:/])[a-z0-9]}i
describe FS_PHISH_VICTIM_URL_TAIL Phish: URL points to victim.tld.what.ever
uri __FS_PHISH_VICTIM_URL_PREFIX m{^https?://(?:[^/.:]+\.){0,3}?([^/.:]+\.(?:[^/.:]{2,3}\.)?[^/.:]{2,5})(?:\:\d+)?[?/](?:.*[./])?(?!\1)((paypal|ebay|ban(?:corpsouth(?:online)?|k(?:one|of(?:america|castile|oklahoma|thewest))|gor)|onlinebankofamerica|sbbt|(?:02|o2|pc)bancorp|b(?:bkonline|ok)|(af|bhf-|comfed|household|northfork|royal|stfrancis|tcf|us)bank|rb(?:c|sdigital)|ameritrade|citi(?:bank|businessonline|group|financial|zens(bank(online)?)?)?|skyfi|star|wamu|paypai|providian(?:services)?|f(?:lagstar|ult(on(bank|financialadvisors)?)?)|unionplanters|elizfed|regions(?:bank|net)?|cha(rterone|se)|lasalle(bank)?|nation(?:al-?city|et)|(?:capital|golden)(?:1|one)|cnb(?:wax)?|(?:(?:aa|cc)f|uofu)cu|w(?:achovia|ells-?fargo|f|esternunion)|e-gold|mastercard|visa|schwab|e(?:bay2|gg|passporte)|(?:columbusbankand|s(?:outh|un))trust|lloydstsb|hsbc(?:-us)?|mbna(?:netaccess)?|53|barclays|first(merit|tennessee)|ohiosavings|peoples|comerica|downey(?:savings)?|(?:machias?)savings|an(?:btx|z)|iblogin|(?:key|pnc|midamerica)(?:bank)?|gesa|fundsxpress|creditunion|amazon|dell|symantec)\.com|(?:mbna|paypal)\.us|(?:desjardins|bmo|cibc|canadianimperial|td(?:bank|canadatrust)?|scotiabank)\.(?:com|ca)|(?:paypal|ebay)\.ca|(?:ebay|hvb|vr-networld|(?:d(?:eutsche|resdner)-|post|volks|hypovereins)bank|sparkasse|paypal)\.de|abb-bvb\.be|sparkasse\.at|(ebay|fineco|sella)\.it|(?:(?:banc|grup)o)?santander\.(?:com\.(?:es|mx)|com|es)|banesto\.es|nordea\.(se|fi)|(enskilda|seb(ank)?)\.se|alpha\.gr|(?:alliance-leicester|ba(?:nkofscotland|rclays)|halifax(?:-online)?|hsbc|lloyds(?:tsb)?|nationwide|rbs|(?:co-operative|sainsburys)bank)\.co\.uk|standardbank\.co\.za|trademe\.co\.nz|(?:ebay|c(?:iti|omm)bank|national)\.com\.au|bradesco\.com\.br|(?:ncua|irs)\.gov|(?:a(?:mericaneagle|laskausa)|n(?:afcu(?:net)?|nleague)|redcross|mtnamerica|(?:(?:3rivers|ca|lacap|paragon|visions)f|(?:argonn|dupag|td)e|msg|nym|uofu)cu|un(icef)?)\.org)(?:/|$)}i
meta FS_PHISH_VICTIM_URL_PREFIX (__FS_PHISH_VICTIM_URL_PREFIX && __FS_PHISH_VICTIM_FROM)
describe FS_PHISH_VICTIM_URL_PREFIX Phish: URL points to site.tld/...victim.tld
full __FS_HREF_SHOWLINKWARNING m{<a(?:[\s\n]+[^<>\s\n]+)*[\s\n]+on(?:(?:dbl)?click|mouse(?:down|move|o(?:ut|ver)|up))[\s\n]*=(?:3D)?[\s\n]*"[\s\n]*return[\s\n]+showlinkwarning\([\s\n]*\);?[\s\n]*"}i
meta FS_PHISH_SHOWLINKWARNING __FS_PHISH_VICTIM_FROM && __FS_HREF_SHOWLINKWARNING
describe FS_PHISH_SHOWLINKWARNING Phish: ShowLinkWarning() JavaScript in link
score FS_PHISH_SHOWLINKWARNING 9
# rule: FS_PHISH_VICTIM_MSGID
# added 2005-09-19
# edit 2006-03-14: optional subdomain in __FS_PHISH_VICTIM_FROM
######## NOTE: amazon excluded from regular expression
uri __FS_PHISH_VICTIM_IMAGE m{^https?://(?:[^/.]+\.){0,2}?((paypal|ebay(?:rtm|static)?|ban(?:corpsouth(?:online)?|k(?:one|of(?:america|castile|oklahoma|thewest))|gor)|onlinebankofamerica|sbbt|(?:02|o2|pc)bancorp|b(?:bkonline|ok)|(af|bhf-|comfed|household|northfork|royal|stfrancis|tcf|us)bank|rb(?:c|sdigital)|ameritrade|citi(?:bank|businessonline|group|financial|zens(bank(online)?)?)?|skyfi|star|wamu|paypai|providian(?:services)?|f(?:lagstar|ult(on(bank|financialadvisors)?)?)|unionplanters|elizfed|regions(?:bank|net)?|cha(rterone|se)|lasalle(bank)?|nation(?:al-?city|et)|(?:capital|golden)(?:1|one)|cnb(?:wax)?|(?:(?:aa|cc)f|uofu)cu|w(?:achovia|ells-?fargo|f|esternunion)|e-gold|mastercard|visa|schwab|e(?:bay2|gg|passporte)|(?:columbusbankand|s(?:outh|un))trust|lloydstsb|hsbc(?:-us)?|mbna(?:netaccess)?|53|barclays|first(merit|tennessee)|ohiosavings|peoples|comerica|downey(?:savings)?|(?:machias?)savings|an(?:btx|z)|iblogin|(?:key|pnc|midamerica)(?:bank)?|gesa|fundsxpress|creditunion|dell|symantec)\.com|(?:mbna|paypal)\.us|(?:desjardins|bmo|cibc|canadianimperial|td(?:bank|canadatrust)?|scotiabank)\.(?:com|ca)|(?:paypal|ebay)\.ca|(?:ebay|hvb|vr-networld|(?:d(?:eutsche|resdner)-|post|volks|hypovereins)bank|sparkasse|paypal)\.de|abb-bvb\.be|sparkasse\.at|(ebay|fineco|sella)\.it|(?:(?:banc|grup)o)?santander\.(?:com\.(?:es|mx)|com|es)|banesto\.es|nordea\.(se|fi)|(enskilda|seb(ank)?)\.se|alpha\.gr|(?:alliance-leicester|ba(?:nkofscotland|rclays)|halifax(?:-online)?|hsbc|lloyds(?:tsb)?|nationwide|rbs|(?:co-operative|sainsburys)bank)\.co\.uk|standardbank\.co\.za|trademe\.co\.nz|(?:ebay|c(?:iti|omm)bank|national)\.com\.au|bradesco\.com\.br|(?:ncua|irs)\.gov|(?:a(?:mericaneagle|laskausa)|n(?:afcu(?:net)?|nleague)|redcross|mtnamerica|(?:(?:3rivers|ca|lacap|paragon|visions)f|(?:argonn|dupag|td)e|msg|nym|uofu)cu|un(icef)?)\.org)[/?&].*\.(?:jpe?g|gif|png)$}i
meta FS_PHISH_VICTIM_IMAGE (! __FS_PHISH_VICTIM_FROM && __FS_PHISH_VICTIM_IMAGE)
describe FS_PHISH_VICTIM_IMAGE Phish: Foreign sender uses image at victim site
score FS_PHISH_VICTIM_IMAGE 9
uri FS_PHISH_ALPHA_BANK /^https?:\/\/www\.(?:alphu\.com|alphe\.net|alphagr\.net)/i
describe FS_PHISH_ALPHA_BANK Phish: Someone pretending to be alpha bank in Greece
uri FS_PHISH_NORDEA_FI m%^https?://(?:2(?:03\.94\.244\.173|10\.(?:83\.195\.195|90\.163\.11))|8(?:1\.(?:1(?:0\.143\.148|2\.(?:38\.13|5(?:0\.(?:14|8)|4\.254)|65\.35|8\.245))|4\.84\.66)|3\.(?:1(?:6\.(?:147\.42|47\.59|8\.138)|7\.26\.86)|2(?:16\.34\.18|2(?:3\.104\.48|7\.192\.48|8\.(?:10\.55|42\.58))))))[?:/]%i
describe FS_PHISH_NORDEA_FI Phish: Someone pretending to be Nordea bank of Finland
score FS_PHISH_NORDEA_FI 9
# Nordea phish mk II / mk III, 2005-12-09_02 2005-12-14_01
uri FS_PHISH_NORDEA_FI_TXT m%http://\d+\.\d+\.\d+\.\d+:8081//?nsp//?engine//?usecase=menu//?command=openmenu//?logon_topnavigation_view&fpid=[0-9A-Za-z]+&menuid=[0-9]+&hash=[0-9A-Za-z]+/%
describe FS_PHISH_NORDEA_FI_TXT Phish: Someone pretending to be Nordea bank of Finland
score FS_PHISH_NORDEA_FI_TXT 9
# rule: FS_PHISH_JHSBC_WMF
# added 2006-01-19
# WMF exploit site
# See also weblog.f-secure.com / January 2006
uri FS_PHISH_JHSBC_WMF m%^https?://(?:www\.)?jhsbc\.com(?:[/:]|$)%i
describe FS_PHISH_JHSBC_WMF Phishing site with WMF exploit, reported Jan2006
score FS_PHISH_JHSBC_WMF 9
# rule: FS_PHISHING_TEST
# added 2006-07-11
# test: ######## TODO: provide sample
uri FS_PHISH_TEST m%^https?://phishing.filter.test(?::80)?/general(?:$|/)%i
