EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Visual Capture

Screenshot of aktiifkaanpayllaters.resmi-hkv3.my.id

Detection Info

https://aktiifkaanpayllaters.resmi-hkv3.my.id/
Detected Brand
DANA
Country
Indonesia
Confidence
95%
HTTP Status
200
Report ID
910923d1-a52โ€ฆ
Analyzed
2026-01-25 18:05

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T136F1D8D3E048540A1312C9C1AED7E244F2368717CB56653ADAB650E3F3D9AF4C27A7A2
CONTENT ssdeep
192:Lp3lBluhF1vyYDYV9Hsqu9jZP1N8dPVIq:Lp3lBludyYOdsqojZPv8dtr

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
834973670ce7cc66
VISUAL aHash
00001e3f01ffffff
VISUAL dHash
e2d2f4ecebcecece
VISUAL wHash
0000180f03ffffff
VISUAL colorHash
03003000180
VISUAL cropResistant
f8eceeebcececeea,c072c2d4ececeeeb

Code Analysis

Risk Score 53/100
Threat Level ALTO
โš ๏ธ Phishing Confirmed
๐ŸŽฃ Credential Harvester

๐Ÿ”ฌ Threat Analysis Report

โ€ข Threat: DANA credential harvesting phishing
โ€ข Target: DANA e-wallet users in Indonesia
โ€ข Method: Fake website to steal user credentials.
โ€ข Exfil: Unknown.
โ€ข Indicators: Suspicious domain, obfuscated Javascript, and forms for credential capture.
โ€ข Risk: HIGH - Immediate credential theft.

๐Ÿ”’ Obfuscation Detected

  • fromCharCode

๐Ÿ“ก API Calls Detected

  • POST

๐Ÿ“Š Risk Score Breakdown

Total Risk Score
85/100

Contributing Factors

Active Phishing Kit
Detected Credential Harvester kit with 4 forms for harvesting user credentials.
Obfuscation Techniques
Identified 4 obfuscation techniques in the JavaScript code, increasing evasion potential.
Brand Impersonation
Impersonates DANA, a legitimate financial service, to deceive users into submitting sensitive information.
Malicious JavaScript
Inclusion of JavaScript file (owl.carousel.js) with potential for malicious activity, though no direct malicious functions extracted.
Lack of Infrastructure Transparency
No associated IPs or nameservers detected, complicating traceability and takedown efforts.

๐Ÿ”ฌ Comprehensive Threat Analysis

Threat Type
Credential Theft (Fake DANA Login)
Target
DANA users (Indonesia)
Exfiltration Channel
Backend API

๐Ÿข Brand Impersonation Analysis

Impersonated Brand
DANA
Official Website
https://www.dana.id
Fake Service
DANA Paylater and DANA Cicil services

โš”๏ธ Attack Methodology

Primary Method: Credential Harvesting

The phishing kit employs multiple forms to capture user credentials, such as login details, PINs, or other sensitive financial information. The harvested data is likely transmitted to an attacker-controlled server for immediate exploitation or resale on underground markets.

Secondary Method: Brand Impersonation

The campaign mimics DANA's official branding and service offerings, such as DANA Paylater and DANA Cicil, to trick users into believing the site is legitimate and prompting them to enter their credentials.

๐ŸŒ Infrastructure Indicators of Compromise

Domain Information

Domain
aktiifkaanpayllaters.resmi-hkv3.my.id
Registered
Unknown
Registrar
Unknown
Status
Active (age unknown)

๐Ÿฆ  Malicious Files

Main File
File Size

JavaScript file included in the phishing kit, potentially used for UI manipulation or data exfiltration.

๐Ÿ”ฌ JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
107.4ย KB

๐Ÿ”— API Endpoints Detected

Other
9

๐Ÿ” Obfuscation Detected

  • : Light
  • : Light

๐Ÿค– AI-Extracted Threat Intelligence

๐ŸŽฏ Malicious Files Identified

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
DANA
https://dd1.qzz.io/dana/7j6ha/0h/
May 09, 2026
 Screenshot
DANA
https://perbaiika4n-akun-danaa.resmi-akzz3.my.id/
May 01, 2026
๐Ÿ˜ฐ
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.