EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Visual Capture

Screenshot of mez.ink

Detection Info

https://mez.ink/attservicehomeredirect
Detected Brand
AT&T / Yahoo
Country
USA
Confidence
100%
HTTP Status
200
Report ID
d1d5bf62-37fโ€ฆ
Analyzed
2026-02-17 10:50

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T1562229F3628820BA7103F7C8B619771CF113696CFB51C6A4DBB74BA1765AD6CD01288B
CONTENT ssdeep
192:7R+XnBMtVYFma9eJTeXV2rHQJHJClVAVTVvvOrtkSEG1bRvkX4zIzFz4PqtfYpmx:7RiBMtVIeJTeXV2rQJpClVAVTVvvOrt4

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
dc9b1c3433cc93cc
VISUAL aHash
18183c1800001818
VISUAL dHash
30927170160c3230
VISUAL wHash
ffffff7d00001800
VISUAL colorHash
38000e00000
VISUAL cropResistant
002491c4ecf40200,a2802f2b93809a68,30927170160c3230

Code Analysis

Risk Score 100/100
Threat Level ALTO
โš ๏ธ Phishing Confirmed
๐ŸŽฃ Credential Harvester ๐ŸŽฃ OTP Stealer ๐ŸŽฃ Card Stealer ๐ŸŽฃ Banking ๐ŸŽฃ Personal Info
๐Ÿ”ฅ Firebase Backend

๐Ÿ”ฌ Threat Analysis Report

โ€ข Threat: Credential Phishing
โ€ข Target: AT&T / Yahoo users
โ€ข Method: Impersonation and Urgency
โ€ข Exfil: Firebase endpoint (likely).
โ€ข Indicators: Domain mismatch, call to action, hosted on mez.ink.
โ€ข Risk: HIGH

๐Ÿ”’ Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • unicode_escape
  • base64_strings

๐ŸŽฏ Kit Endpoints

  • https://nextjs.org/docs/messages/ssg-fallback-true-export
  • https://nextjs.org/docs/messages/
  • https://super-3e9a1-default-rtdb.asia-southeast1.firebasedatabase.app
  • http://f
  • https://mez.ink/_next/static/chunks/74260-3f44d603eab7bcd7.js
  • https://t.me/+JVEFsNFIZhswZjc1
  • https://www.facebook.com/sharer/sharer.php?u=
  • https://reactjs.org/
  • https://connect.facebook.net/en_US/fbevents.js
  • https://mez.ink/terms-and-conditions/indonesia
  • https://mezink.onelink.me/I54r/app
  • https://a@b
  • https://connect.facebook.net/en_US/sdk.js
  • https://play.google.com/store/apps/details?id=life.getsuper.droid
  • https://mez.ink/_next/static/chunks/50341-4e6a8dc746e57f83.js
  • https://mez.ink/_next/static/chunks/profile-page-59a5b1c9cd864fe5.js
  • https://radix-ui.com/primitives/docs/components/${t.docsSlug}`;return
  • https://mez.ink/privacy-policy/indonesia
  • https://ั‚ะตัั‚
  • https://nextjs.org/docs/messages/client-side-exception-occurred
  • https://a
  • https://a/c%20d?a=1&c=3
  • https://mui.com/production-error/?code=
  • https://mez.ink/_next/static/chunks/pages/_app-7f4af3ab5f552133.js
  • https://mez.ink/blog/
  • https://evilmartians.com/chronicles/postcss-8-plugin-migration
  • https://cdn.mxpnl.com
  • https://mez.ink/_next/static/chunks/25744-bcc4bf8a64fb4c8c.js
  • https://mez.ink/_next/static/chunks/71693-c75476bc0b703fe3.js
  • https://mez.ink/_next/static

๐Ÿ“ก API Calls Detected

  • https://www.google.com/ccm/geo
  • https://calendly.com/tarunvalecha
  • https://t.me/+JVEFsNFIZhswZjc1
  • https://play.google.com/store/apps/details?id=life.getsuper.droid
  • https://api.ipify.org?format=json
  • https://mez.ink/terms-and-conditions/indonesia
  • https://mez.ink/blog/
  • POST
  • GET
  • https://mez.ink/privacy-policy/indonesia

โ˜๏ธ Cloud Backend

  • Firebase: super-3e9a1.firebaseapp.com

๐Ÿ“Š Risk Score Breakdown

Total Risk Score
90/100

Contributing Factors

Domain Mismatch
The domain mez.ink does not match the target brand.
Obfuscation
Javascript is obfuscated.
Brand Impersonation
The page impersonates AT&T / Yahoo to collect user credentials.
Request for sensitive data
The page tries to trick users to log in, likely to steal credentials.

๐Ÿ”ฌ Comprehensive Threat Analysis

Threat Type
Banking Credential Harvester
Target
AT&T / Yahoo users (USA)
Attack Method
Brand impersonation + obfuscated JavaScript
Exfiltration Channel
Firebase Database
Risk Assessment
CRITICAL - Automated credential harvesting with Firebase Database

โš ๏ธ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 1424 obfuscation techniques

๐Ÿข Brand Impersonation Analysis

Impersonated Brand
AT&T
Official Website
att.com, yahoo.com
Fake Service
AT&T / Yahoo account login

Fraudulent Claims

โš”๏ธ Attack Methodology

Primary Method: Credential Harvesting Phishing

The attacker uses a look-alike page on a non-AT&T/Yahoo domain to lure users into submitting their credentials. This is achieved by creating urgency via messaging about needed account updates.

Secondary Method: Social Engineering

The page uses social engineering techniques, like making it seem the user needs to update their account, to get them to submit their credentials.

๐ŸŒ Infrastructure Indicators of Compromise

๐Ÿฆ  Malicious Files

Main File
polyfills-42372ed130431b0a.js
File Size

๐Ÿ”ฌ JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
2.5ย MB

๐Ÿ”— API Endpoints Detected

Other
34
Firebase
1

๐Ÿ” Obfuscation Detected

  • : Moderate
  • : None
  • : Light
  • : Heavy
  • : Moderate
  • : Heavy
  • : Heavy
  • : Light
  • : Light
  • : Light
  • : Moderate
  • : Light
  • : Light
  • : Light
  • : None
  • : None
  • : Light
  • : None
  • : Light
  • : Light

๐Ÿค– AI-Extracted Threat Intelligence

๐ŸŽฏ Malicious Files Identified

Main Drainer
polyfills-42372ed130431b0a.js
File Size
2546KB

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

No screenshot
Unknown
https://mez.ink/attservicehomeredirect
Jan 07, 2026

Scan History for mez.ink

Found 10 other scans for this domain

๐Ÿ˜ฐ
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.