Phishing Analysis: Malta Airport

Visual Capture

Detection Info

https://signin.broker/BqHpjz7odUsi

Detected Brand

Malta Airport

Country

International

Confidence

100%

HTTP Status

200

Report ID

ba0353fd-af8…

Analyzed

2026-02-25 01:07

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T151D10F7160509D3B5293C6D4B3B56B4F3394C346EA87566A67F8C78C0EF3E26CC1A226
CONTENT ssdeep	96:nIpkCGTHRPyCdM+krwkMms39TbJG9KjsWsjO50U2gs0sjOMOVJQ6Q6ynQjNsjO9:9Pdfk8D9TbJG9afsOVJQyyQjB

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	9c497326cc99d966
VISUAL aHash	18001818191f0f9f
VISUAL dHash	7161313331727d38
VISUAL wHash	191818181f1f1fff
VISUAL colorHash	070000001c0
VISUAL cropResistant	7161313331727d38

Code Analysis

Risk Score 70/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Phishing
• Target: Users of Malta Airport
• Method: Impersonation and credential harvesting
• Exfil: Unknown, likely to a server controlled by the attacker.
• Indicators: Mismatched domain, login form.
• Risk: High

🎯 Kit Endpoints

https://login.microsoftonline.com/common/login#
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-958860566042&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-1359-21bc5137cc6d&protectedtoken=true&domain_hint=maltairport.com&nonce=627494533941.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=c2NvdHQudmVsbGFAbWFsdGFpcnBvcnQuY29t#
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-906446603811&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-5534-21bc5137cc6d&protectedtoken=true&domain_hint=maltairport.com&nonce=625425535081.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=c2NvdHQudmVsbGFAbWFsdGFpcnBvcnQuY29t#
https://passwordreset.microsoftonline.com/?ru=https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000001-0000-cff1-ce00-291207778305&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=d98292e6-fa3f-ce32-4744-21bc5137cc6d&protectedtoken=true&domain_hint=maltairport.com&nonce=700266250022.ec82d3ed-b372-7cd6-3e42-fcfc13352e79&state=c2NvdHQudmVsbGFAbWFsdGFpcnBvcnQuY29t#

📊 Risk Score Breakdown

Total Risk Score

95/100

Contributing Factors

Domain Mismatch

The domain signin.broker is not related to Malta Airport

Impersonation

The site mimics the login page of a legitimate brand.

Requests Sensitive Information

The page is requesting an email address to login.

🔬 Comprehensive Threat Analysis

Threat Type

Two-Factor Authentication Stealer

Target

Malta Airport users (International)

Attack Method

Brand impersonation

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Personal Info

🏢 Brand Impersonation Analysis

Impersonated Brand

Malta Airport

Official Website

maltairport.com

Fake Service

Login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker is attempting to steal user credentials by creating a fake login page that mimics the Malta Airport login and uses a deceptive domain to trick users into entering their login credentials.