Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T13C147614FB0107C484F9BCD5949772E4A041CE2FA34A65A7252F53F67CCACA63EA239D |
|
CONTENT
ssdeep
|
384:DHgJWIV7y4yLMiVH8z2IVvg/py2pLaQlmXBwJlVIXv4tY/Uo0Wo3mNKX:sJ/oS2AqpL0wTVIXv4sUo0Wo3mN2 |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b8396c3c316ccec5 |
|
VISUAL
aHash
|
81c3ffcfcf9fc3c3 |
|
VISUAL
dHash
|
3b1b001c1c2a3737 |
|
VISUAL
wHash
|
8181dfcfc79f8181 |
|
VISUAL
colorHash
|
06400030000 |
|
VISUAL
cropResistant
|
3b1b001c1c2a3737 |
โข Threat: Credential Phishing
โข Target: DHL customers
โข Method: Impersonation via login form
โข Exfil: /events2/login.cfm
โข Indicators: Domain mismatch, login form, obfuscation
โข Risk: High
The attacker aims to steal user credentials by mimicking a legitimate DHL login page and tricking users into entering their information.
The attacker leverages the brand recognition of DHL to gain trust and deceive users.
1. Step 1: User lands on phishing page mimicking DHL Guest Management System login portal. 2. Step 2: User enters username (email) and password into the form. 3. Step 3: Form submission triggers AJAX POST to `/events2/login.cfm` with `doLogin` action. 4. Step 4: Backend ColdFusion component (`ControllerProxy.cfc`) processes credentials via `validatePassword()` and `validateFormFieldData()`. 5. Step 5: Session cookies (`SS_NAVB`, antiCsfrToken) are set or killed to manage user sessions and evade detection. 6. Step 6: Credentials are stored server-side or forwarded to attacker-controlled infrastructure. 7. Step 7: User is potentially redirected or shown a fake error message to delay suspicion.
1. Step 1: User lands on phishing page mimicking DHL Guest Management System login portal. 2. Step 2: User enters username (email) and password into the form. 3. Step 3: Form submission triggers AJAX POST to `/events2/login.cfm` with `doLogin` action. 4. Step 4: Backend ColdFusion component (`ControllerProxy.cfc`) processes credentials via `validatePassword()` and `validateFormFieldData()`. 5. Step 5: Session cookies (`SS_NAVB`, antiCsfrToken) are set or killed to manage user sessions and evade detection. 6. Step 6: Credentials are stored server-side or forwarded to attacker-controlled infrastructure. 7. Step 7: User is potentially redirected or shown a fake error message to delay suspicion.
cfmessage.jsvalidatePassword()validateFormFieldData()processFrontEndAssignment()getContactData()setCookie() / killCookies()checkKillSwitch()sssiUtil.preventHighJack()Pages with identical visual appearance (based on perceptual hash)
Found 10 other scans for this domain