SafeMode - Analysis: ibank.fedbonline.com

Visual Capture

No screenshot available

Detection Info

https://ibank.fedbonline.com

Detected Brand

Federal Bank

Country

USA

Confidence

100%

HTTP Status

200

Report ID

8b9c792d-8d0…

Analyzed

2026-01-26 10:38

Final URL (after redirects)

https://ibank.fedbonline.com/

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T19A63443C63C0563550CB87F2E5949F2AD29DCBDADB27AD8BF2ACC247178AC458F51260
CONTENT ssdeep	768:hzwFf/qPtZebfXHwo4xBg28lsFx1v3PZuGEWbDDTNeLwBo:sfSPlHx1v3PfEWbho

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	a9afd0b2c2ead2d0
VISUAL aHash	ff0b0b1303030100
VISUAL dHash	dbd7d3d3d7d79b90
VISUAL wHash	ff1b1b3b1303035a
VISUAL colorHash	07600008040
VISUAL cropResistant	6bdfd3d3f3d7d7b3,2040838b73a36393,dfd3d3f3d7d39a90

Code Analysis

Risk Score 82/100

Threat Level BAJO

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Potentially unwanted online banking portal.
• Target: Customers of Federal Bank.
• Method: Website prompts users to log in or open an account.
• Exfil: Unknown, further analysis of JavaScript is needed to confirm data exfiltration.
• Indicators: Domain name contains a variation of the brand name, obfuscated JavaScript, and Javascript form submission.
• Risk: LOW - Requires further analysis of the website's behavior to confirm malicious intent.

🔒 Obfuscation Detected

fromCharCode
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

https://ibank.fedbonline.com/login
https://ibank.fedbonline.com/verify
https://ibank.fedbonline.com/send-money

📡 API Calls Detected

https://libretranslate.com/translate
GET

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected multiple phishing kit types: Credential Harvester, OTP Stealer, Card Stealer, and Banking-specific modules.

Brand Impersonation

Domain ibank.fedbonline.com closely mimics Federal Bank's official branding, targeting Banking customers.

Obfuscation

61 obfuscation techniques detected in loader.js, indicating evasion of static analysis.

Malicious JavaScript

Loader.js (0.5 MB) contains obfuscated code, likely for credential interception or exfiltration.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

Federal Bank users (USA)

Attack Method

obfuscated JavaScript

Exfiltration Channel

Unknown

Risk Assessment

CRITICAL - Automated credential harvesting with Unknown

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
61 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Federal Bank

Official Website

https://www.federalbank.co.in

Fake Service

Online Banking Login Portal

Fraudulent Claims

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing page mimics Federal Bank's login portal to capture usernames, passwords, and session tokens. Harvested credentials are likely exfiltrated in real-time to attacker-controlled servers via obfuscated JavaScript.

Secondary Method: OTP Interception

The OTP Stealer module suggests the kit is designed to capture one-time passwords (OTPs) or 2FA codes, enabling attackers to bypass multi-factor authentication and gain unauthorized access to victim accounts.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

ibank.fedbonline.com

Registered

2025-07-30 09:53:03+00:00

Registrar

Dynadot Inc

Status

Active (180 days old)

🦠 Malicious Files

Main File

File Size

Obfuscated JavaScript file containing 61 obfuscation techniques, likely used for credential harvesting and exfiltration.

📊 Attack Flow Diagram

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim receives phishing message                    │
│    - Directed to fake Federal Bank page                  │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE                                       │
│    - Displays convincing bank login interface            │
│    - Mimics legitimate Federal Bank design               │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - Victim enters Banking credentials                   │
│    - Data collected in fake form                         │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Total Code Size

516.9 KB

🔗 API Endpoints Detected

Other

26

🔐 Obfuscation Detected

: Light
: Moderate

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim receives phishing message                    │
│    - Directed to fake Federal Bank page                  │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE                                       │
│    - Displays convincing bank login interface            │
│    - Mimics legitimate Federal Bank design               │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - Victim enters Banking credentials                   │
│    - Data collected in fake form                         │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘
```