Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1E5E229B49230D335B1C247E8DA6425287A5FE1DDD7C695B4E388AF11B0D6CE8D9260CF |
|
CONTENT
ssdeep
|
384:4r/aJcuv/xRvRhiXkdvNTDhPhLxeAxeDWNW1Tp34PxeeJEmuW3AsUIRWUMd:4r/aJcuv/JhhPhleMeDGCSPxeeWmHLW |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
c73338cc783e694c |
|
VISUAL
aHash
|
006660307078b690 |
|
VISUAL
dHash
|
4ccccac3e5e46431 |
|
VISUAL
wHash
|
a0666630787ebf98 |
|
VISUAL
colorHash
|
38206000000 |
|
VISUAL
cropResistant
|
85858a88da9a78fa,100c323232320810,4ccccac3e5e46431 |
• Amenaza: Phishing
• Objetivo: Usuarios interesados en cripto y Donald Trump
• Método: Impersonación a través de un casino falso
• Exfil: wss://gambler-work.com/api/ws (potencialmente credenciales y otros datos)
• Indicadores: Uso de la imagen de Trump, ofrece una 'Recompensa Gratuita', formulario de registro
• Riesgo: ALTO
The site uses a registration form to collect user's email and password. This harvested data can be used to compromise accounts on other services.
Possibly to redirect users to malware downloads by compromising a user's account.
User fills <input name=email> → signalsFBEventsExtractFromInputs() → fetch('https://spinmaga.live/api/exfiltrate') → Data sent to external server
User fills <input name=email> → signalsFBEventsExtractFromInputs() → fetch('https://spinmaga.live/api/exfiltrate') → Data sent to external server
signalsFBEventsExtractFromInputs.jssignalsFBEventsExtractFromInputssignalsFBEventsExtractEventPayload644576191807769
Pages with identical visual appearance (based on perceptual hash)