Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://lhv-ee-g9okfq6.wishforthefuture.com/kqsg6xjg5/a503fd9646b86a1469e907bfac1b5b1b/login.php
Detected Brand
LHV
Country
Unknown
Confidence
100%
HTTP Status
200
Report ID
3c81c634-7e0โฆ
Analyzed
2026-06-13 06:12
Final URL (after redirects)
https://www.lhv.ee/et
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1AEB37474911026BE502742F3BA707B2973C85284CB5788C1B3BAC26B9F9DD8BDC561ED |
|
CONTENT
ssdeep
|
1536:r3Ydc7S3la6ckN0VCRJbf8qn9mG6zVCRJgV2ZNkrLAfsX+xEJV2QgFdwI/xWP1:8S4lSgPY/QzZo |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
cc1b71e2cc999e19 |
|
VISUAL
aHash
|
00003c3c3c3c0000 |
|
VISUAL
dHash
|
39167870606996a6 |
|
VISUAL
wHash
|
9d003c3c3c3cd3f3 |
|
VISUAL
colorHash
|
1ec00000003 |
|
VISUAL
cropResistant
|
c0d60dc9d9388d89,39167870606996a6 |
Code Analysis
Risk Score
68/100
Threat Level
ALTO
โ ๏ธ Phishing Confirmed
๐ฃ Banking
๐ฃ Personal Info
๐ Obfuscation Detected
- unicode_escape
๐ฏ Kit Endpoints
- /et/blogi/teie-kusisite-meie-tegime-lhv-kliendid-saavad-kasutada-smart-id-lahendust
- /et/blogi
- /auth/logout?goto=/
- /et/blogi/henri-x-premium-3-3-tunnen-et-olen-globaalne-inimene
๐ก API Calls Detected
- /b/public/consent
- /auth/ibank
๐ Risk Score Breakdown
Total Risk Score
100/100
Contributing Factors
Active Phishing Kit
Detected kit types: Banking, Personal Info
Credential Harvesting
Credential harvesting detected with 2 form(s) capturing sensitive data
Code Obfuscation
JavaScript code obfuscated using 2 technique(s) to evade detection
๐ฌ Comprehensive Threat Analysis
Threat Type
Banking Credential Harvester
Target
LHV users
Attack Method
credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
Form submission (backend endpoint not detected - likely JavaScript-based)
Risk Assessment
HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)
โ ๏ธ Indicators of Compromise
- Kit types: Banking, Personal Info
- 2 obfuscation techniques
๐ข Brand Impersonation Analysis
Impersonated Brand
LHV
Official Website
N/A
Fake Service
Account login portal
โ๏ธ Attack Methodology
Primary Method: Banking Credential Theft
Victim enters banking credentials including account numbers and security questions. Attacker gains full access to victim's banking services.
Secondary Method: JavaScript Obfuscation
Malicious code is obfuscated using 2 techniques to evade detection by security scanners and make reverse engineering more difficult.
๐ Infrastructure Indicators of Compromise
Domain Information
Domain
lhv-ee-g9okfq6.wishforthefuture.com
Registered
2011-08-24 02:02:38+00:00
Registrar
GoDaddy.com, LLC
Status
Active (older domain)
Hosting Information
Provider
GoDaddy
ASN
๐ค AI-Extracted Threat Intelligence
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.