Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1FAC163359461AE37548791D5EBF2A31FA6A18349C3271E0563F483AEAFC6F59CC13086 |
|
CONTENT
ssdeep
|
48:xNpQbqwBOjzTCsRHgWTiS04YsN1i204mNCRfFQmc7IKfi60CbOz+wt89V3Lz74p+:xs89HdTiSD3N1i2Dt5c+wxfpHjz9 |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
e4ec4b1bb03666e1 |
|
VISUAL
aHash
|
fffff7d7ff000000 |
|
VISUAL
dHash
|
2d1227253642d4d4 |
|
VISUAL
wHash
|
fffbd3d7d7000000 |
|
VISUAL
colorHash
|
060020001c0 |
|
VISUAL
cropResistant
|
2f20022725b5344b,083032100994c201,922a9696b6b69292,107068c4d4d4d4c0 |
• Amenaza: Posible sitio de phishing que suplanta a imToken
• Objetivo: Usuarios de imToken en todo el mundo
• Método: Engañar a los usuarios para que descarguen una aplicación potencialmente maliciosa
• Exfil: No se detectó exfiltración directa, pero hay riesgo de malware
• Indicadores: Dominio no coincidente, registro de dominio reciente, sin formularios visibles
• Riesgo: ALTO - Posibilidad de distribución de malware
The phishing kit is designed to capture user credentials by presenting a fake login interface that mimics the imToken wallet. Submitted credentials are likely transmitted to an attacker-controlled server in real-time.
The kit includes functionality to intercept one-time passwords (OTPs), which are often used as a secondary authentication factor. This allows attackers to bypass 2FA protections and gain unauthorized access to victim accounts.
JavaScript file potentially used for generating or manipulating QR codes to facilitate credential harvesting.
Pages with identical visual appearance (based on perceptual hash)