SafeMode - Analysis: metamaskloginr.webflow.io

Visual Capture

Detection Info

http://metamaskloginr.webflow.io/

Detected Brand

MetaMask

Country

Unknown

Confidence

100%

HTTP Status

200

Report ID

d5a68921-107…

Analyzed

2026-01-25 18:19

Final URL (after redirects)

https://metamaskloginr.webflow.io/

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1344155637602B42D7B1656F8D510B2ECC04243AECE50F884D9C089DD968ECCA5442BAE
CONTENT ssdeep	48:/WmfDhv5Qx/q0LkYX0Tl0n0w4Uzeu531hDEf6:ThiNL+Tq0mr5llEf6

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	af2de0c90d2c2f0f
VISUAL aHash	bbff03133f83ffff
VISUAL dHash	528c6e6664232300
VISUAL wHash	03e303033381fffe
VISUAL colorHash	07c000000c0
VISUAL cropResistant	528c6e6664232300

Code Analysis

Risk Score 100/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 Personal Info

🔒 Obfuscation Detected

atob
fromCharCode
base64_strings

🎯 Kit Endpoints

https://metamaskloginr.webflow.io/

📡 API Calls Detected

https://www.google.com/ccm/geo
POST

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester and Personal Info kit types, indicating a fully functional phishing toolkit designed to steal sensitive user data.

Brand Impersonation

Domain 'metamaskloginr.webflow.io' impersonates MetaMask, a high-value cryptocurrency wallet target, increasing the likelihood of successful deception.

Obfuscation Techniques

34 obfuscation techniques detected in JavaScript code, indicating deliberate efforts to evade detection and analysis by security tools.

Malicious JavaScript

Presence of a JavaScript file ('webflow.f0a5689e5.js') with obfuscation, suggesting hidden malicious functionality such as form interception or data exfiltration.

Lack of Detection Evasion

No Telegram bots, Discord webhooks, or WebSocket URLs detected, reducing immediate exfiltration capabilities but not eliminating the threat.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Theft (Fake MetaMask Login)

Target

MetaMask users (International)

Exfiltration Channel

N/A (Landing page - no direct data collection)

🏢 Brand Impersonation Analysis

Impersonated Brand

MetaMask

Official Website

https://metamask.io/

Fake Service

Fake MetaMask wallet login and account recovery portal

⚔️ Attack Methodology

Primary Method: Wallet Connection Hijacking

The phishing kit impersonates MetaMask's login interface to trick users into connecting their cryptocurrency wallets. Once connected, the kit can harvest wallet credentials, private keys, or seed phrases, enabling unauthorized access to the victim's funds.

Secondary Method: Personal Information Harvesting

In addition to wallet credentials, the kit includes forms designed to collect personal information such as email addresses, phone numbers, or recovery phrases, which can be used for further social engineering attacks or identity theft.

Target Blockchain

Ethereum