Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T16CE229B4A230D735B1C247E8DA6429287A5FE1DDD7C695B4E388AF11B0D6CE8D8250CB |
|
CONTENT
ssdeep
|
384:4r/aJcuvnQRvRhiXkdvNTDhPhLxeAxeDWNW1Tp34PxeeJEmuW3As0yRW8Md:4r/aJcuvnghhPhleMeDGCSPxeeWmHxW |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
c73338cc783e694c |
|
VISUAL
aHash
|
006660307078b690 |
|
VISUAL
dHash
|
4ccccac3e5e46431 |
|
VISUAL
wHash
|
a0666630787ebf98 |
|
VISUAL
colorHash
|
38206000000 |
|
VISUAL
cropResistant
|
85858a88da9a78fa,100c323232320810,4ccccac3e5e46431 |
โข Threat: Phishing
โข Target: Unsuspecting users
โข Method: Impersonation and Reward Scam
โข Exfil: wss://gambler-work.com/api/ws
โข Indicators: Recent domain, unrelated domain to the brand, use of brand name, JavaScript obfuscation, form submission.
โข Risk: High
The attacker impersonates a casino by using the name of Donald Trump to make a deceptive reward campaign. The goal is to trick the user into registering and providing sensitive information such as email and password to access rewards.
The website leverages the image of Donald Trump and the lure of 'free rewards' in order to gain trust and deceive victims.
User fills <input name=email> โ signalsFBEventsExtractFromInputs() โ fetch('https://trumpcasino.us/api/exfiltrate') โ User data sent
User fills <input name=email> โ signalsFBEventsExtractFromInputs() โ fetch('https://trumpcasino.us/api/exfiltrate') โ User data sent
signalsFBEventsExtractFromInputs.jssignalsFBEventsExtractFromInputssignalsFBEventsExtractEventPayload1925131974751650
Pages with identical visual appearance (based on perceptual hash)