Phishing Analysis: Malta Airport

Visual Capture

Detection Info

https://auth-secure.me/QGzrBLQ5YfdCUg

Detected Brand

Malta Airport

Country

International

Confidence

100%

HTTP Status

200

Report ID

35d8df00-3c1…

Analyzed

2026-03-11 16:18

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T11BD1FF7150509D3B5293C6D4B3B56B4F3394C346EA87566AA7F8C78C0EF3E26CC1A226
CONTENT ssdeep	96:DIpkCGTHRPyCdM+krwkM2qs39TbJG9KjsWsjOq0U2gs0sjOjOVJQ6Q6ynQjNsjOY:ZPdfk8G9TbJG9akDOVJQyyQjM

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	9c497326cc99d9e4
VISUAL aHash	18001818191f0f9f
VISUAL dHash	7161313331727d38
VISUAL wHash	191818181f1f1fff
VISUAL colorHash	070000001c0
VISUAL cropResistant	7161313331727d38

Code Analysis

Risk Score 70/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Phishing
• Target: Malta Airport users
• Method: Domain spoofing
• Exfil: Likely steals credentials
• Indicators: Mismatched domain, brand impersonation
• Risk: HIGH

🎯 Kit Endpoints

https://passwordreset.microsoftonline.com/?ru=https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-686658763842&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-8621-21bc5137cc6d&protectedtoken=true&domain_hint=maltairport.com&nonce=916619701478.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=bWFyY29uLmhpbGlAbWFsdGFpcnBvcnQuY29t#
https://login.microsoftonline.com/common/login#
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-472171214806&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-1201-21bc5137cc6d&protectedtoken=true&domain_hint=maltairport.com&nonce=425232347477.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=bWFyY29uLmhpbGlAbWFsdGFpcnBvcnQuY29t#
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-224908336031&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-3952-21bc5137cc6d&protectedtoken=true&domain_hint=maltairport.com&nonce=289639609394.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=bWFyY29uLmhpbGlAbWFsdGFpcnBvcnQuY29t#

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain 'auth-secure.me' is completely unrelated to the intended brand (Malta Airport).

Impersonation

The page visually attempts to impersonate a legitimate login page of the brand.

🔬 Comprehensive Threat Analysis

Threat Type

Two-Factor Authentication Stealer

Target

Malta Airport users (International)

Attack Method

Brand impersonation

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Personal Info

🏢 Brand Impersonation Analysis

Impersonated Brand

Malta Airport

Official Website

null

Fake Service

Login portal

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker aims to steal user credentials by mimicking the login page of Malta Airport. Users are tricked into entering their login information on the fake site.