Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1E5E229B49230D335B1C247E8DA6425287A5FE1DDD7C695B4E388AF11B0D6CE8D9260CF |
|
CONTENT
ssdeep
|
384:4r/aJcuv/xRvRhiXkdvNTDhPhLxeAxeDWNW1Tp34PxeeJEmuW3AsUIRWUMd:4r/aJcuv/JhhPhleMeDGCSPxeeWmHLW |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
c73338cc783e694c |
|
VISUAL
aHash
|
006660307078b690 |
|
VISUAL
dHash
|
4ccccac3e5e46431 |
|
VISUAL
wHash
|
a0666630787ebf98 |
|
VISUAL
colorHash
|
38206000000 |
|
VISUAL
cropResistant
|
85858a88da9a78fa,100c323232320810,4ccccac3e5e46431 |
โข Threat: Phishing
โข Target: Users interested in crypto and Donald Trump
โข Method: Impersonation through a fake casino
โข Exfil: wss://gambler-work.com/api/ws (potentially credentials and other data)
โข Indicators: Use of Trump's image, offers a 'Free Reward', registration form
โข Risk: HIGH
The site uses a registration form to collect user's email and password. This harvested data can be used to compromise accounts on other services.
Possibly to redirect users to malware downloads by compromising a user's account.
User fills <input name=email> โ signalsFBEventsExtractFromInputs() โ fetch('https://spinmaga.live/api/exfiltrate') โ Data sent to external server
User fills <input name=email> โ signalsFBEventsExtractFromInputs() โ fetch('https://spinmaga.live/api/exfiltrate') โ Data sent to external server
signalsFBEventsExtractFromInputs.jssignalsFBEventsExtractFromInputssignalsFBEventsExtractEventPayload644576191807769
Pages with identical visual appearance (based on perceptual hash)