alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024230; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing_07012016, signature_severity Major, created_at 2016_09_02, performance_impact Low, updated_at 2017_04_20;) <p /> </h2> <p /> Added 2017-08-07 21:19:33 UTC <p /> <p /> <form method="post" action="http://doc.emergingthreats.net/bin/save/Main/2024230" enctype="multipart/form-data" id="threadmode0" name="threadmode0"><input type="hidden" name="crypttoken" value="79a435172e1e61ed1e4180fd3ed7269f" /><div class="commentPlugin commentPluginPromptBox" style="margin: 5px 0;"> <div><textarea rows="5" cols="80" name="comment" class="twikiTextarea" wrap="soft" style="width: 100%" onfocus="if(this.value=='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.')this.value=''" onblur="if(this.value=='')this.value='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.'">Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.</textarea></div><div style="padding: 5px 0 0 0;"><input type="submit" value="Add to Documentation" class="twikiButton" /></div> </div><!--/commentPlugin--> <input type="hidden" name="comment_action" value="save" /> <input type="hidden" name="comment_type" value="threadmode" /> <input type="hidden" name="comment_index" value="0" /></form> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:trojan-activity; sid:2024230; rev:2;) <p /> </h2> <p /> Added 2017-05-05 16:59:06 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024230; rev:2;) <p /> </h2> <p /> Added 2017-05-03 17:36:00 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:trojan-activity; sid:2024230; rev:2;) <p /> </h2> <p /> Added 2017-04-20 17:48:43 UTC <p /> <p /> <p /> <hr> <p /> </div><!-- /patternTopic--> <div class="twikiContentFooter"></div></div><!-- /patternContent--> <div class="clear"></div> <a name="topic-actions"></a><div class="patternTopicActions"><div class="patternTopicAction"><span class="patternActionButtons"><span><a href='http://doc.emergingthreats.net/bin/edit/Main/2024230?t=1508528880;nowysiwyg=1' rel='nofollow' title='Edit this topic text' accesskey='e'><img src='/pub/TWiki/TWikiDocGraphics/uweb-o14.gif' width='14' height='14' border='0' alt='' /> <span class='twikiAccessKey'>E</span>dit</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/attach/Main/2024230' rel='nofollow' title='Attach an image or document to this topic' accesskey='a'><span class='twikiAccessKey'>A</span>ttach</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/view/Main/2024230?cover=print' rel='nofollow' title='Printable version of this topic' accesskey='p'><span class='twikiAccessKey'>P</span>rint version</a></span><span class='twikiSeparator'> | </span><span><span><a href='/bin/rdiff/Main/2024230?type=history' rel='nofollow' title='View total topic history' accesskey='h'><span class='twikiAccessKey'>H</span>istory</a></span>: r1</span><span class='twikiSeparator'> | </span><span><a href='/bin/oops/Main/2024230?template=backlinksweb' rel='nofollow' title='Search the Main Web for topics that link to here' accesskey='b'><span class='twikiAccessKey'>B</span>acklinks</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/view/Main/2024230?raw=on' rel='nofollow' title='View raw text without formatting' accesskey='r'><span class='twikiAccessKey'>R</span>aw View</a></span><span class='twikiSeparator'> | </span><span><a href='http://doc.emergingthreats.net/bin/edit/Main/2024230?t=1508528880;nowysiwyg=0' rel='nofollow' title='WYSIWYG editor' accesskey='w'>WYSIWYG</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/oops/Main/2024230?template=oopsmore&param1=1&param2=1' rel='nofollow' title='Delete or rename this topic; set parent topic; view and compare revisions' accesskey='m'><span class='twikiAccessKey'>M</span>ore topic actions</a></span></span></div><!--/patternTopicAction--></div><!--/patternTopicActions--> <div class="patternInfo twikiGrayText"><div class="patternRevInfo">Topic revision: r1 - 2017-08-08 <a href="http://doc.emergingthreats.net/bin/edit/Main/2024230?nowysiwyg=1508528880" target="_top">-</a> <a href="/bin/view/Main/TWikiGuest" class="twikiLink">TWikiGuest</a></div><!-- /patternRevInfo--></div><!-- /patternInfo--> </div><!-- /patternMainContents--> </div><!-- /patternMain--><div id="patternLeftBar"><div id="patternClearHeaderLeft"></div> <div id="patternLeftBarContents"><div class="patternWebIndicator"> <ul> <li> <a class="twikiCurrentWebHomeLink twikiLink" href="/bin/view/Main/WebHome"><img src="/pub/TWiki/TWikiDocGraphics/web-bg-small.gif" width="13" height="13" alt="Web background" title="Web background" border="0" /> Main</a> </li></ul> </div> <div class="patternLeftBarPersonal"> <ul><li class="patternLogIn"><a href="/bin/login/Main/2024230?origurl=/bin/view/Main/2024230">Log In</a> or <a class="twikiLink" href="/bin/view/TWiki/TWikiRegistration">Register</a></li></ul> </div><!--/patternLeftBarPersonal--> <p /> <ul> <li> <b><a class="twikiCurrentWebHomeLink twikiLink" href="/bin/view/Main/WebHome"> <img src="/pub/TWiki/TWikiDocGraphics/home.gif" width="16" height="16" alt="Home" title="Home" border="0" /> Main Web</a></b> </li> <li> <a href="/bin/view/Main/WebTopicCreator?parent=2024230" target="_top"> <img src="/pub/TWiki/TWikiDocGraphics/newtopic.gif" width="16" height="16" alt="New topic" title="New topic" border="0" /> Create New Topic</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebTopicList"> <img src="/pub/TWiki/TWikiDocGraphics/index.gif" width="16" height="16" alt="Index" title="Index" border="0" /> Index</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebSearch"> <img src="/pub/TWiki/TWikiDocGraphics/searchtopic.gif" width="16" height="16" alt="Search topic" title="Search topic" border="0" /> Search</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/RuleChanges"> <img src="/pub/TWiki/TWikiDocGraphics/changes.gif" width="16" height="16" alt="Changes" title="Changes" border="0" /> Changes</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebPreferences"> <img src="/pub/TWiki/TWikiDocGraphics/wrench.gif" width="16" height="16" alt="Wrench, tools" title="Wrench, tools" border="0" /> Preferences</a> </li></ul> <p /> <ul> <li> <b>User Reference</b> </li> <li> <a href="http://doc.emergingthreats.net/bin/view/TWiki/ATasteOfTWiki" target="_top">ATasteOfTWiki</a> </li> <li> <a href="http://doc.emergingthreats.net/bin/view/TWiki/TextFormattingRules" target="_top">TextFormattingRules</a> </li></ul> <p /> <p /> <ul> <li> <b>Signature Reference</b> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebRss">WebRss</a> Feed </li> <li> <a class="twikiLink" href="/bin/view/Main/EmergingFAQ">EmergingFAQ</a> </li></ul> <p /> <p /> </div><!-- /patternLeftBarContents--></div><!-- /patternLeftBar--> </div><!-- /patternFloatWrap--> <div class="clear"> </div> </div><!-- /patternOuter--></div><!-- /patternWrapper--><div id="patternTopBar"><div id="patternTopBarContents"><table border="0" cellpadding="0" cellspacing="0" style="width:100%; margin-top:12px;"> <tr><td valign="middle"><span id="twikiLogo" class="twikiImage"><a href="http://doc.emergingthreats.net"><img src="http://doc.emergingthreats.net/logo.png" border="0" alt="Emerging Threats" style="border:none;" /></a></span></td> <td align="right" valign="top" class="patternMetaMenu"> <ul> <li> <form name="jumpForm" action="/bin/view/Main/2024230"><input id="jumpFormField" type="text" class="twikiInputField" name="topic" value="" size="18" /><noscript> <input type="submit" class="twikiButton" size="5" name="submit" value="Jump" /> </noscript> </form> </li> <li> <form name="quickSearchForm" action="/bin/view/Main/WebSearch"><input type="text" class="twikiInputField" id="quickSearchBox" name="search" value="" size="18" /><input type="hidden" name="scope" value="all" /><input type="hidden" name="web" value="Main" /><noscript> <input type="submit" size="5" class="twikiButton" name="submit" value="Search" /> </noscript> </form> </li> <li> </li></ul> </td></tr></table></div></div><!-- /patternTopBar--><div id="patternBottomBar"><div id="patternBottomBarContents"><div id="patternWebBottomBar"><div class="twikiCopyright"><span class="twikiRight"> <a href="http://twiki.org/"><img src="/pub/TWiki/TWikiLogos/T-badge-88x31.gif" alt="This site is powered by the TWiki collaboration platform" width="88" height="31" title="This site is powered by the TWiki collaboration platform" border="0" /></a></span><span class="twikiRight" style="padding:0 10px 0 10px"> <a href="http://www.perl.org/"><img src="/pub/TWiki/TWikiLogos/perl-logo-88x31.gif" alt="Powered by Perl" width="88" height="31" title="Powered by Perl" border="0" /></a></span><span class="twikiRight"> <a href="http://twiki.org/"><img src="/pub/TWiki/TWikiLogos/T-logo-80x15.gif" alt="This site is powered by the TWiki collaboration platform" width="80" height="15" title="This site is powered by the TWiki collaboration platform" border="0" /></a></span>Copyright © Emerging Threats <br /></div><!--/patternWebBottomBar--></div><!-- /patternBottomBarContents--></div><!-- /patternBottomBar--> </div><!-- /patternPage--> </div><!-- /patternPageShadow--> </div><!-- /patternScreen--> </body></html>