Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
http://metamaskloginr.webflow.io
Detected Brand
MetaMask
Country
Unknown
Confidence
100%
HTTP Status
200
Report ID
b7049a33-e6dโฆ
Analyzed
2026-01-26 05:12
Final URL (after redirects)
https://metamaskloginr.webflow.io/
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1344155637602B42D7B1656F8D510B2ECC04243AECE50F884D9C089DD968ECCA5442BAE |
|
CONTENT
ssdeep
|
48:/WmfDhv5Qx/q0LkYX0Tl0n0w4Uzeu531hDEf6:ThiNL+Tq0mr5llEf6 |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
af2de0c90d2c2f0f |
|
VISUAL
aHash
|
bbff03133f83ffff |
|
VISUAL
dHash
|
528c6e6664232300 |
|
VISUAL
wHash
|
03e303033381fffe |
|
VISUAL
colorHash
|
07c000000c0 |
|
VISUAL
cropResistant
|
528c6e6664232300 |
Code Analysis
Risk Score
100/100
Threat Level
ALTO
โ ๏ธ Phishing Confirmed
๐ฃ Credential Harvester
๐ฃ Personal Info
๐ Obfuscation Detected
- atob
- fromCharCode
- base64_strings
๐ฏ Kit Endpoints
- https://metamaskloginr.webflow.io/
๐ก API Calls Detected
- https://www.google.com/ccm/geo
- POST
๐ Risk Score Breakdown
Total Risk Score
100/100
Contributing Factors
Active Phishing Kit
Detected Credential Harvester and Personal Info kit types, indicating real-time data interception and exfiltration capabilities.
Brand Impersonation
Domain impersonates MetaMask, a high-value cryptocurrency wallet target, increasing likelihood of successful social engineering.
Obfuscation Techniques
34 obfuscation techniques detected in JavaScript, indicating deliberate evasion of static analysis and automated detection.
Domain Reputation
Domain hosted on webflow.io, a legitimate platform often abused for phishing due to free hosting and SSL certificates.
๐ฌ Comprehensive Threat Analysis
Threat Type
Credential Harvesting Kit
Target
MetaMask users
Attack Method
credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
Unknown
Risk Assessment
CRITICAL - Automated credential harvesting with Unknown
โ ๏ธ Indicators of Compromise
- Kit types: Credential Harvester, Personal Info
- 34 obfuscation techniques
๐ข Brand Impersonation Analysis
Impersonated Brand
MetaMask
Official Website
https://metamask.io
Fake Service
MetaMask wallet login and account verification
โ๏ธ Attack Methodology
Primary Method: Wallet Connection Spoofing
The phishing site mimics MetaMask's wallet connection interface to trick users into approving malicious smart contract interactions. This allows attackers to request token approvals or drain assets directly from connected wallets.
Secondary Method: Credential Harvesting
The site includes forms designed to capture MetaMask seed phrases or private keys, enabling full account takeover and irreversible asset theft.
Target Blockchain
Ethereum
๐ Infrastructure Indicators of Compromise
Domain Information
Domain
metamaskloginr.webflow.io
Registered
Unknown
Registrar
Unknown
Status
Active (age unknown)
๐ฆ Malicious Files
Main File
File Size
Highly obfuscated JavaScript file with 34 detected obfuscation techniques, likely containing credential harvesting logic.
๐ Attack Flow Diagram
Here's a generic ASCII art attack flow diagram for the described phishing attack:
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. VICTIM TARGETED โ
โ - Fake MetaMask page delivered via phishing โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 2. WALLET CONNECTION SPOOFING โ
โ - Fake interface mimics legitimate wallet connection โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 3. USER INTERACTION โ
โ - Victim attempts to connect wallet โ
โ - Fake prompts request sensitive information โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 4. DATA CAPTURE โ
โ - Entered information collected by fake interface โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 5. EXFILTRATION โ
โ - Collected data sent via HTTP POST โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
๐ฌ JavaScript Deep Analysis
Sophistication Level
Basic
Total Code Size
36.1ย KB
๐ API Endpoints Detected
Other
6
Backend API
1
๐ Obfuscation Detected
- : Light
๐ค AI-Extracted Threat Intelligence
๐ Attack Flow
Here's a generic ASCII art attack flow diagram for the described phishing attack:
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. VICTIM TARGETED โ
โ - Fake MetaMask page delivered via phishing โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 2. WALLET CONNECTION SPOOFING โ
โ - Fake interface mimics legitimate wallet connection โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 3. USER INTERACTION โ
โ - Victim attempts to connect wallet โ
โ - Fake prompts request sensitive information โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 4. DATA CAPTURE โ
โ - Entered information collected by fake interface โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 5. EXFILTRATION โ
โ - Collected data sent via HTTP POST โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
๐ฏ Malicious Files Identified
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Scan History for metamaskloginr.webflow.io
Found 3 other scans for this domain
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.