title: backdoored-kit
level: likely_malicious
description: |
  Site is running a backdoored phishing kit which exfiltrates credentials back to the phishing kit author.
references:
  - https://urlscan.io/result/57c33fed-0a60-4bec-959e-c78904bafca2/
  - https://urlscan.io/result/9a139acc-fbda-4f3d-847c-fa31a001ea03/

detection:
  tokenStealer:
    requests|contains: /receive_token?referrer=
    js|re: 'var token="[0-9]{8,10}:[a-zA-Z0-9_-]{35}"'
  condition: tokenStealer

Rule matches