SafeMode - Analysis: dkbing-banking.91-218-65-223.plesk.page

Captura Visual

Screenshot of dkbing-banking.91-218-65-223.plesk.page

Información de Detección

https://dkbing-banking.91-218-65-223.plesk.page/

Detected Brand

Plesk

Country

International

Confianza

100%

HTTP Status

200

Report ID

920d4e12-6d3…

Analyzed

2026-02-26 00:50

Final URL (after redirects)

https://dkbing-banking.91-218-65-223.plesk.page/login_up.php

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1AF92B6F2548CE57627039FD0F466BB15B39B65BEEB820700C26C83985FE7ED1D44988A
CONTENT ssdeep	384:KLJjYp8pe78xe8ITjKkrVjg1rTj3rrn1NWEGWPZ+gEbDP5p3OECCefdRhqHe1:KLJjW8pe78xe8I32f1BoZOCadRhqHe1

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	cc662799319933b9
VISUAL aHash	0010001818181818
VISUAL dHash	726224b2b2b2b2b2
VISUAL wHash	0010181818181c1c
VISUAL colorHash	07007000080
VISUAL cropResistant	92a280b233a08e9e,726224b2b2b2b2b2

Análisis de Código

Risk Score 85/100

Nivel de Amenaza ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Phishing
• Objetivo: Usuarios de Plesk
• Método: Suplantación de identidad a través de una página de inicio de sesión falsa.
• Exfil: Desconocido, probablemente para capturar credenciales de inicio de sesión.
• Indicadores: Discordancia de dominio, JavaScript ofuscado, envío de formulario.
• Riesgo: ALTO

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
document.write
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

https://github.com/login/oauth/authorize?client_id=1c4da8e2ca643e96ea17&redirect_uri=https%3A%2F%2Fid.plesk.com%2Fredirect%2Fgithub-sign-in.html&scope=user%3Aemail&state=ph%2FGSgODM2KSSO27Qdb28STvRhgMTS36Fmb5M8dA%7Credirect-plesk%3Dhttps%253A%252F%252Fdkbing-banking.91-218-65-223.plesk.page%252Fmodules%252Fsocial-login%252Fpublic%252Flogin.php%253Fprovider%253Dgithub
${(0,m.default)(`/admin/report/download/file/${encodeURIComponent(n.file)}`)}
https://support.plesk.com/hc/en-us/articles/12377667582743-How-to-log-in-to-Plesk-
log-in
/modules/social-login/public/webauthn.js?1.10.5&18.0.76-1
/login_up.php?modals[cookie-policy-preferences]=true
/logout.php

📡 API Calls Detected

/admin/copilot/gen-answer
GET
/admin/copilot/stat
/modules/notifier/index.php/notifications

📊 Desglose de Puntuación de Riesgo

Total Risk Score

90/100

Contributing Factors

Suspicious Domain

The domain is not related to the brand.

Obfuscated JavaScript

Code obfuscation is a common technique used to hide malicious code.

Requests Credentials

The website asks for login credentials in a suspicious context.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza

Banking Credential Harvester

Objetivo

Plesk users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltración

Form submission (backend endpoint not detected - likely JavaScript-based)

Evaluación de Riesgo

CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
105 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand

Plesk and Living Bots

Official Website

null

Fake Service

Plesk Login

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The attacker attempts to steal user credentials by creating a fake login page that mimics the look and feel of the target service (Plesk). Users are tricked into entering their login details, which are then harvested by the attacker.