Phishing Analysis
Detailed analysis of captured phishing page
Captura Visual
No screenshot available
Información de Detección
https://www.victory88-maxwin.com/support/login.php
Detected Brand
Unknown
Country
Unknown
Confianza
81%
HTTP Status
200
Report ID
ca64d6ef-722…
Analyzed
2026-01-29 00:00
Hashes de Contenido (Similitud HTML)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1A301D0120001ECB2C5A1F5B09391990116D6C724CB971800A7FCD7ED3AF5CADCD875A9 |
|
CONTENT
ssdeep
|
12:nwMy7F8L1PZLEIzicYuPKH833YPKHPf35cElBcjGuuRStGuaHWgTK5V5XKkgFp1F:n/CcVZLvzFJvxcElB4oS723F/N |
Hashes Visuales (Similitud de Captura)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
888c6c7367367a33 |
|
VISUAL
aHash
|
10391c3e7c581c01 |
|
VISUAL
dHash
|
e57370f4d9b9e8b1 |
|
VISUAL
wHash
|
103d3f3e7c783c41 |
|
VISUAL
colorHash
|
06e00000040 |
|
VISUAL
cropResistant
|
637360d491b1e8b1,999323ab2bf868e8,8ebc94d9786689d0,e57370f4d9b9e8b1,c3c3e56522f153ca |
Análisis de Código
Risk Score
81/100
🎣 Credential Harvester
Telegram Exfiltration
🔐 Credential Harvesting Forms
🔒 Obfuscation Detected
- fromCharCode
- unicode_escape
📡 API Calls Detected
- POST
📤 Form Action Targets
- post.php
🔑 Telegram Bot Tokens (1)
- 8260266630:AAGQ...4p_5uJ5M
📊 Desglose de Puntuación de Riesgo
Total Risk Score
81/100
Contributing Factors
🔬 Análisis Integral de Amenazas
Tipo de Amenaza
Credential Harvesting Kit
Objetivo
General public
Método de Ataque
credential harvesting forms + obfuscated JavaScript
Canal de Exfiltración
Telegram Bot (8260266630:AAGQAl_hh...) + HTTP POST to backend
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with Telegram Bot (8260266630:AAGQAl_hh...) + HTTP POST to backend
⚠️ Indicators of Compromise
- 1 Telegram bot token(s)
- Kit types: credential_harvester
- 84 obfuscation techniques
🏢 Análisis de Suplantación de Marca
Impersonated Brand
Generic Phishing
Official Website
N/A
Fake Service
Account login portal
⚔️ Metodología de Ataque
Primary Method: Credential Harvesting
Victim enters username and password into fake login form. Credentials are captured via JavaScript and exfiltrated to attacker's server in real-time.
Secondary Method: JavaScript Obfuscation
Malicious code is obfuscated using 84 techniques to evade detection by security scanners and make reverse engineering more difficult.
📡 Infraestructura de Comando y Control Telegram
Bot Token (Masked)
8260266630:AAGQ...4p_5uJ5M
Bot ID
8260266630
Group/Chat ID
Unknown
Operator Language
Unknown
💬 Message Templates (3)
| ID | Portugués | Inglés | Trigger |
|---|---|---|---|
🌐 Indicadores de Compromiso de Infraestructura
Domain Information
Dominio
www.victory88-maxwin.com
Registered
2025-02-20 03:38:31+00:00
Registrar
NameCheap, Inc.
Estado
Active (342 days old)
Hosting Information
Provider
Namecheap
ASN
📊 Diagrama de Flujo de Ataque
```
┌─────────────────────────────────────────────────────────────────┐
│ VICTIM VISITS PHISHING PAGE │
│ (Fake login, verification, support page) │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ VICTIM ENTERS CREDENTIALS (Form 1) │
│ │
│ - Email/Username │
│ - Password │
│ - 2FA code (if requested) │
│ - Seed phrase (if crypto-related) │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ FORM SUBMISSION (JavaScript POST) │
│ │
│ Credentials sent to: │
│ → Telegram bot (real-time notification) │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 🔔 TELEGRAM NOTIFICATION (Attacker alerted) │
│ │
│ Message contains: │
│ - Victim's email/username │
│ - Password │
│ - IP address │
│ - User agent │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ VICTIM SEES FAKE ERROR / REDIRECT │
│ │
│ - "Incorrect password, try again" │
│ - "Account locked, contact support" │
│ - Redirect to legitimate site │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 🚨 CREDENTIALS STOLEN │
│ │
│ Attacker can now: │
│ - Access victim's account │
│ - Bypass 2FA (if captured) │
│ - Steal funds (if crypto seed phrase) │
└─────────────────────────────────────────────────────────────────┘
```
🔬 JavaScript Deep Analysis
Operator Language
English (1%)
Total Code Size
379,6 KB
🔗 API Endpoints Detected
Other
7
🔐 Obfuscation Detected
- : Moderate
- : Light
🤖 AI-Extracted Threat Intelligence
📊 Attack Flow
```
┌─────────────────────────────────────────────────────────────────┐
│ VICTIM VISITS PHISHING PAGE │
│ (Fake login, verification, support page) │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ VICTIM ENTERS CREDENTIALS (Form 1) │
│ │
│ - Email/Username │
│ - Password │
│ - 2FA code (if requested) │
│ - Seed phrase (if crypto-related) │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ FORM SUBMISSION (JavaScript POST) │
│ │
│ Credentials sent to: │
│ → Telegram bot (real-time notification) │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 🔔 TELEGRAM NOTIFICATION (Attacker alerted) │
│ │
│ Message contains: │
│ - Victim's email/username │
│ - Password │
│ - IP address │
│ - User agent │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ VICTIM SEES FAKE ERROR / REDIRECT │
│ │
│ - "Incorrect password, try again" │
│ - "Account locked, contact support" │
│ - Redirect to legitimate site │
└─────────────────────────┬───────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 🚨 CREDENTIALS STOLEN │
│ │
│ Attacker can now: │
│ - Access victim's account │
│ - Bypass 2FA (if captured) │
│ - Steal funds (if crypto seed phrase) │
└─────────────────────────────────────────────────────────────────┘
```
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Scan History for www.victory88-maxwin.com
Found 1 other scan for this domain
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.