Phishing Analysis: EE (BT)

Visual Capture

Screenshot of www.site-z09d9cvco.godaddysites.com

Detection Info

http://www.site-z09d9cvco.godaddysites.com/

Detected Brand

EE (BT)

Country

UK

Confidence

100%

HTTP Status

200

Report ID

c4a7191c-2c6…

Analyzed

2026-02-01 12:02

Final URL (after redirects)

https://site-z09d9cvco.godaddysites.com/

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1F142334222082956C2B3489D95107684B387DB4FC961877096BC5E3F1FE2EA1A7A1F3F
CONTENT ssdeep	192:zQepY2ORHjb11jvCOsFbGBVtPCZw7yBNQ6VyNU4JXHwdBCWvojHcGhjwZB3+koQs:Y2ORldiy3XpOtRb8XhR

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	d2a5528dad5aad52
VISUAL aHash	e7e7e7fffffcfcfc
VISUAL dHash	0d0c4d0008000808
VISUAL wHash	00e7e7ff03000000
VISUAL colorHash	070000001c0
VISUAL cropResistant	0d0c4d0008000808,a280a28c8c8a80aa,454a25eacaa45045,c9c8b4b090a08e88

Code Analysis

Risk Score 100/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Phishing
• Target: EE customers
• Method: Impersonation through a fake update page.
• Exfil: Unknown, likely leads to a credential harvesting site.
• Indicators: Free hosting, brand logo, call to action
• Risk: HIGH

🔒 Obfuscation Detected

fromCharCode
unicode_escape

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Free Hosting

The domain is hosted on a free platform, indicating a high risk.

Brand Impersonation

The site uses the EE brand logo without being the official website, suggesting an attempt to deceive users.

Suspicious call to action

The prompt to 'update now' is a common phishing tactic

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

EE (BT) users (UK)

Attack Method

Brand impersonation + obfuscated JavaScript

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
12 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

EE (BT)

Official Website

null

Fake Service

EE Broadband

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker aims to steal user credentials by mimicking a legitimate website and directing users to enter their login details on a fake form, likely after clicking the call to action.