The malicious threat actor and phish kit creator and seller “MRWEEBEE” has been around since July 2021. This phish kit is designed to be used to create phish posing as US banks and credit unions. I can’t say that all phish created using this kit do this, but I can say I’ve seen a large number of phish that ultimately land on pages that include the following text in the URL:
%5bMRWEEBEE%5d
%5b is the html escape code for the left square bracked – [ – and %5d is the html escape code for the right square bracket – ] so it appears the kit automatically adds the following to the URLs created:
[MRWEEBEE]
Unfortunately, the phish I’ve seen created using this kit are all smish, or SMS/Text phish, and the initial links sent via text do not include this text. Victims end up at the site that has this in the URL only after one or more redirects, so we are unable to setup email filter rules looking for this URL. However, web filtering vendors shouldn’t have a problem creating rules to prevent anyone from getting to the final landing pages.
–Matt