SafeMode - Analysis: dkbing-banking.91-218-65-223.plesk.page

Visual Capture

Screenshot of dkbing-banking.91-218-65-223.plesk.page

Detection Info

https://dkbing-banking.91-218-65-223.plesk.page/

Detected Brand

Plesk

Country

International

Confidence

100%

HTTP Status

200

Report ID

920d4e12-6d3…

Analyzed

2026-02-26 00:50

Final URL (after redirects)

https://dkbing-banking.91-218-65-223.plesk.page/login_up.php

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1AF92B6F2548CE57627039FD0F466BB15B39B65BEEB820700C26C83985FE7ED1D44988A
CONTENT ssdeep	384:KLJjYp8pe78xe8ITjKkrVjg1rTj3rrn1NWEGWPZ+gEbDP5p3OECCefdRhqHe1:KLJjW8pe78xe8I32f1BoZOCadRhqHe1

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	cc662799319933b9
VISUAL aHash	0010001818181818
VISUAL dHash	726224b2b2b2b2b2
VISUAL wHash	0010181818181c1c
VISUAL colorHash	07007000080
VISUAL cropResistant	92a280b233a08e9e,726224b2b2b2b2b2

Code Analysis

Risk Score 85/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Phishing
• Target: Plesk users
• Method: Impersonation via a fake login page.
• Exfil: Unknown, likely to capture login credentials.
• Indicators: Domain mismatch, obfuscated JavaScript, form submission.
• Risk: HIGH

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
document.write
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

https://github.com/login/oauth/authorize?client_id=1c4da8e2ca643e96ea17&redirect_uri=https%3A%2F%2Fid.plesk.com%2Fredirect%2Fgithub-sign-in.html&scope=user%3Aemail&state=ph%2FGSgODM2KSSO27Qdb28STvRhgMTS36Fmb5M8dA%7Credirect-plesk%3Dhttps%253A%252F%252Fdkbing-banking.91-218-65-223.plesk.page%252Fmodules%252Fsocial-login%252Fpublic%252Flogin.php%253Fprovider%253Dgithub
${(0,m.default)(`/admin/report/download/file/${encodeURIComponent(n.file)}`)}
https://support.plesk.com/hc/en-us/articles/12377667582743-How-to-log-in-to-Plesk-
log-in
/modules/social-login/public/webauthn.js?1.10.5&18.0.76-1
/login_up.php?modals[cookie-policy-preferences]=true
/logout.php

📡 API Calls Detected

/admin/copilot/gen-answer
GET
/admin/copilot/stat
/modules/notifier/index.php/notifications

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Suspicious Domain

The domain is not related to the brand.

Obfuscated JavaScript

Code obfuscation is a common technique used to hide malicious code.

Requests Credentials

The website asks for login credentials in a suspicious context.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

Plesk users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
105 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Plesk and Living Bots

Official Website

null

Fake Service

Plesk Login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker attempts to steal user credentials by creating a fake login page that mimics the look and feel of the target service (Plesk). Users are tricked into entering their login details, which are then harvested by the attacker.