Phishing Analysis: Chase

Visual Capture

Detection Info

http://gillmedical.org/Chase/CHASE

Detected Brand

Chase

Country

USA

Confidence

96%

HTTP Status

200

Report ID

034e64c1-94b…

Analyzed

2026-01-30 23:46

Final URL (after redirects)

http://gillmedical.org/Chase/CHASE/login.php

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1176110F14584A42902A282D18E32E369D382D474DF730B0B9AE5E75EBBDBFD8CC05079
CONTENT ssdeep	48:nXjLFTNmTNMitOKsanfI6SfnCw02hse5SnCw02hsesdQ5YpP5hvopBliFOo6wXmb:nTLG4KVZS6l3ONl3/2Ex0ZN

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	c958e663b30e35e2
VISUAL aHash	001818180000ffff
VISUAL dHash	91b2b0b0dbd2e200
VISUAL wHash	007c5c584848ffff
VISUAL colorHash	0b580001000
VISUAL cropResistant	d4e0d4d0d0d6dcdc,e0e1000c20150800,1db2b1b0b1dbd2f2

Code Analysis

Risk Score 81/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

Telegram Exfiltration

🔬 Threat Analysis Report

• Threat: Phishing
• Target: Chase customers
• Method: Impersonation and credential harvesting
• Exfil: Data posted to post.php, potentially via Telegram bot
• Indicators: Domain mismatch, login form, visual imitation
• Risk: High

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

fromCharCode
unicode_escape

🎯 Kit Endpoints

https://api.telegram.org/bot7571937466:AAGs4WrakEQckPQy5-v_8kD26YOiIKFc7TU/sendMessage?chat_id=1418778003&text=New visit%0AIP:207.244.255.96

📤 Form Action Targets

post.php

🔑 Telegram Bot Tokens (1)

7571937466:AAGs...iIKFc7TU

💬 Telegram Chat IDs (1)

1418778003

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain gillmedical.org is completely unrelated to the brand Chase.

Presence of Login Form

The page includes a login form, indicating credential harvesting.

Impersonation

Visual design is attempting to replicate Chase's.

Obfuscation Detected

Javascript obfuscation found.

Telegram Token Found

Telegram bot token discovered.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

Chase users (USA)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Telegram Bot (7571937466:AAGs4Wrak...) + HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with Telegram Bot (7571937466:AAGs4Wrak...) + HTTP POST to backend

⚠️ Indicators of Compromise

1 Telegram bot token(s)
Kit types: Credential Harvester
28 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Chase

Official Website

https://www.chase.com/

Fake Service

Chase Online Login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker creates a fake login page that mimics the appearance of Chase's login. The user enters their credentials, which are then harvested and sent to the attacker.