Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
No screenshot available
Detection Info
https://q-r.to/bgaEf4
Detected Brand
Unknown
Country
Unknown
Confidence
100%
HTTP Status
200
Report ID
b6c2fee4-185โฆ
Analyzed
2026-01-26 12:46
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T13A2255B1A540993B129386D4BA72AB0F73A44788CF432B11B7F8539E1EC6CA5DD5B091 |
|
CONTENT
ssdeep
|
96:n4duiE66x5h+J7ffPrxzSqywMQxRnMRH4R7+M/BOIkJ/BOIxx6/BOIxONhb5qDs9:1unrJUGfafGfUP5lx3gLiwqgw |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b70f8c0f370e8c0f |
|
VISUAL
aHash
|
1fffffe7e7ffffff |
|
VISUAL
dHash
|
6000000808000000 |
|
VISUAL
wHash
|
00ffdfc7243c3030 |
|
VISUAL
colorHash
|
070000001c0 |
|
VISUAL
cropResistant
|
6000000808000000 |
Code Analysis
Risk Score
71/100
๐ฃ Credential Harvester
๐ฃ Personal Info
๐ Obfuscation Detected
- eval
- fromCharCode
๐ก API Calls Detected
- POST
- //
๐ Risk Score Breakdown
Total Risk Score
100/100
Contributing Factors
Active Phishing Kit
Detected Credential Harvester and Personal Info kit types, indicating a high likelihood of credential and sensitive data harvesting.
High Obfuscation
36 obfuscation techniques detected, significantly increasing the difficulty of analysis and indicating malicious intent.
Suspicious JavaScript Files
Presence of JavaScript files (photoswipe.min.js, photoswipe-ui-default.min.js) with potential for malicious functionality, despite no immediate indicators of abuse.
Lack of Transparency
No identifiable IPs, nameservers, or clear language strings, complicating attribution and increasing risk of anonymized malicious activity.
๐ฌ Comprehensive Threat Analysis
Threat Type
Credential Harvesting Kit
Target
General public
Attack Method
obfuscated JavaScript
Exfiltration Channel
Unknown
Risk Assessment
HIGH - Automated credential harvesting with Unknown
โ ๏ธ Indicators of Compromise
- Kit types: Credential Harvester, Personal Info
- 36 obfuscation techniques
๐ข Brand Impersonation Analysis
Fake Service
Unknown (No specific brand or service impersonation detected)
โ๏ธ Attack Methodology
Primary Method: Credential Harvesting
The phishing kit is designed to capture user credentials by presenting a fake login interface or form. The harvested data is likely transmitted to a remote server controlled by the attacker for further exploitation, such as account takeover or identity theft.
Secondary Method: Personal Information Theft
In addition to credentials, the kit may collect personal information such as names, addresses, or phone numbers. This data can be used for further social engineering attacks, identity fraud, or sold on underground markets.
๐ Infrastructure Indicators of Compromise
Domain Information
Domain
q-r.to
Registered
2012-01-31 21:22:21+00:00
Registrar
Government of Kingdom of Tonga
Status
Active (5108 days old)
๐ฆ Malicious Files
Main File
File Size
JavaScript file with no immediately detectable malicious functions but high obfuscation levels.
๐ Attack Flow Diagram
Here's a generic ASCII art attack flow diagram for the Banking phishing attack:
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. TARGET RECEIVES DECEPTIVE MESSAGE โ
โ - Victim directed to fake Banking site โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 2. FAKE SITE DISPLAYS CREDENTIAL FORM โ
โ - Mimics legitimate Banking interface โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 3. VICTIM ENTERS CREDENTIALS โ
โ - User submits login information โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 4. CREDENTIALS COLLECTED โ
โ - Form data captured by attacker โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 5. DATA TRANSMITTED โ
โ - Credentials sent via HTTP POST โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
๐ฌ JavaScript Deep Analysis
Total Code Size
40.8ย KB
๐ API Endpoints Detected
Other
5
๐ Obfuscation Detected
- : Light
- : None
๐ค AI-Extracted Threat Intelligence
๐ Attack Flow
Here's a generic ASCII art attack flow diagram for the Banking phishing attack:
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. TARGET RECEIVES DECEPTIVE MESSAGE โ
โ - Victim directed to fake Banking site โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 2. FAKE SITE DISPLAYS CREDENTIAL FORM โ
โ - Mimics legitimate Banking interface โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 3. VICTIM ENTERS CREDENTIALS โ
โ - User submits login information โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 4. CREDENTIALS COLLECTED โ
โ - Form data captured by attacker โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 5. DATA TRANSMITTED โ
โ - Credentials sent via HTTP POST โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
๐ฏ Malicious Files Identified
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Scan History for q-r.to
Found 10 other scans for this domain
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.