Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://packages.soulservices.com/activeplala/sso.login/login2.php
Detected Brand
plala
Country
Japan
Confidence
100%
HTTP Status
200
Report ID
c97d7f8a-9d7β¦
Analyzed
2026-01-27 13:51
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1A1B1C01493412B0E64A591F6C3606FA843E28C2ED7321958985EE63F1CCD54EED6BBFC |
|
CONTENT
ssdeep
|
96:jN4CpfHSfo47lGCty5vk+7TSTre5b1/LhC5Sb3yJSLP0z3lKZVwcbwYxyCPoZz0F:jWUyUBWcb10KibALJxawD |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
969339389e9998dc |
|
VISUAL
aHash
|
1c243c3c3c000000 |
|
VISUAL
dHash
|
394d686865140000 |
|
VISUAL
wHash
|
1c243c3c3f030f0f |
|
VISUAL
colorHash
|
07050000400 |
|
VISUAL
cropResistant
|
394d686865140000 |
Code Analysis
Risk Score
82/100
Threat Level
ALTO
β οΈ Phishing Confirmed
π£ Credential Harvester
π£ Banking
π£ Personal Info
π¬ Threat Analysis Report
β’ Threat: Credential harvesting phishing kit targeting Plala users.
β’ Target: Plala customers in Japan.
β’ Method: Fake login form stealing user ID and password.
β’ Exfil: Data sent to cgi-binsso/pf/agent_sso.php.
β’ Indicators: Domain unrelated to brand, obfuscated JavaScript, multiple forms, form action points to a suspicious path.
β’ Risk: HIGH - Immediate credential theft.
π Credential Harvesting Forms
π Obfuscation Detected
- fromCharCode
- document.write
- hex_escape
- base64_strings
π€ Form Action Targets
- cgi-binsso/pf/agent_sso.php
π Risk Score Breakdown
Total Risk Score
100/100
Contributing Factors
Active Phishing Kit
Detected Credential Harvester kit with real-time form interception for user credentials.
High Obfuscation
130 obfuscation techniques detected, indicating deliberate evasion of analysis.
Brand Impersonation
Targeting 'plala', a known service provider, to harvest user credentials.
Form-Based Attack
3 forms detected, designed to capture sensitive user information (γ¦γΌγΆID, ζ¬γγΉγ―γΌγ).
π¬ Comprehensive Threat Analysis
Threat Type
Banking Credential Harvester
Target
plala users (Japan)
Attack Method
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
HTTP POST to backend
Risk Assessment
CRITICAL - Automated credential harvesting with HTTP POST to backend
β οΈ Indicators of Compromise
- Kit types: Credential Harvester, Banking, Personal Info
- 130 obfuscation techniques
π’ Brand Impersonation Analysis
Impersonated Brand
plala
Official Website
https://www.plala.or.jp/
Fake Service
Single Sign-On (SSO) login portal
βοΈ Attack Methodology
Primary Method: Credential Harvesting
The phishing kit captures user credentials (γ¦γΌγΆID and ζ¬γγΉγ―γΌγ) via a fake login form. The data is likely transmitted to a backend server controlled by the attacker for immediate exploitation or sale on underground markets.
Secondary Method: Account Takeover
Once credentials are harvested, attackers can gain unauthorized access to the victim's 'plala' account, enabling further exploitation such as unauthorized transactions, data theft, or lateral movement within the victim's digital ecosystem.
π Infrastructure Indicators of Compromise
Domain Information
Domain
packages.soulservices.com
Registered
2003-05-24 15:02:47+00:00
Registrar
Web Commerce Communications Limited dba WebNic.cc
Status
Active (8283 days old)
π¦ Malicious Files
Main File
File Size
JavaScript file with high obfuscation, likely used for credential harvesting and form interception.
π Attack Flow Diagram
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. VICTIM RECEIVES PHISHING LINK β
β - Email/SMS with fake "PLALA" Banking alert β
ββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 2. FAKE LOGIN PAGE LOADED β
β - Spoofed PLALA Banking portal displayed β
ββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 3. CREDENTIAL INPUT β
β - Victim enters username/password β
β - Form appears identical to legitimate site β
ββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 4. DATA CAPTURED β
β - Credentials sent via HTTP POST to attacker server β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π¬ JavaScript Deep Analysis
Total Code Size
105.0Β KB
π API Endpoints Detected
Other
1
π Obfuscation Detected
- : Moderate
- : None
- : None
π€ AI-Extracted Threat Intelligence
π Attack Flow
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. VICTIM RECEIVES PHISHING LINK β
β - Email/SMS with fake "PLALA" Banking alert β
ββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 2. FAKE LOGIN PAGE LOADED β
β - Spoofed PLALA Banking portal displayed β
ββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 3. CREDENTIAL INPUT β
β - Victim enters username/password β
β - Form appears identical to legitimate site β
ββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 4. DATA CAPTURED β
β - Credentials sent via HTTP POST to attacker server β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π― Malicious Files Identified
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
plala
https://candidtechnologies.co/master/upgrde/pla_bins/login2....
Feb 13, 2026
plala
https://azultienda.com.mx/upro/sso.login/login2.php
Feb 06, 2026
plala
https://hellofoody.xyz/login.plala/login2.php
Feb 04, 2026
plala
https://sdnancol01.sch.id/dwagg/sso.login/login2.php
Jan 28, 2026
Plala
https://sdnancol01.sch.id/dwagg/sso.login/login2.php
Jan 21, 2026
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.