Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1FAC163359461AE37548791D5EBF2A31FA6A18349C3271E0563F483AEAFC6F59CC13086 |
|
CONTENT
ssdeep
|
48:xNpQbqwBOjzTCsRHgWTiS04YsN1i204mNCRfFQmc7IKfi60CbOz+wt89V3Lz74p+:xs89HdTiSD3N1i2Dt5c+wxfpHjz9 |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
e4ec4b1bb03666e1 |
|
VISUAL
aHash
|
fffff7d7ff000000 |
|
VISUAL
dHash
|
2d1227253642d4d4 |
|
VISUAL
wHash
|
fffbd3d7d7000000 |
|
VISUAL
colorHash
|
060020001c0 |
|
VISUAL
cropResistant
|
2f20022725b5344b,083032100994c201,922a9696b6b69292,107068c4d4d4d4c0 |
• Threat: Potential phishing site impersonating imToken
• Target: imToken users worldwide
• Method: Misleading users to download a potentially malicious app
• Exfil: No direct exfiltration detected, but risk of malware
• Indicators: Domain mismatch, recent domain registration, no forms visible
• Risk: HIGH - Potential for malware distribution
The phishing kit is designed to capture user credentials by presenting a fake login interface that mimics the imToken wallet. Submitted credentials are likely transmitted to an attacker-controlled server in real-time.
The kit includes functionality to intercept one-time passwords (OTPs), which are often used as a secondary authentication factor. This allows attackers to bypass 2FA protections and gain unauthorized access to victim accounts.
JavaScript file potentially used for generating or manipulating QR codes to facilitate credential harvesting.
Pages with identical visual appearance (based on perceptual hash)