Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T190A42ADD72D9B0A91B97B234D03F610AB27B2D81784CC410D666E9C53C7984ED273FAA |
|
CONTENT
ssdeep
|
6144:Fh+RstexlJWqdAVAp3YIeKwstexlJWqdAVAp3YIeKO:mst5IeNst5Ie1 |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
d5351a3a2a2f4d55 |
|
VISUAL
aHash
|
00fffafbffffffff |
|
VISUAL
dHash
|
df10261600000001 |
|
VISUAL
wHash
|
00c6d2fbffff0000 |
|
VISUAL
colorHash
|
070000001c0 |
|
VISUAL
cropResistant
|
1b18160200000201,3f3ff3f3ef69ffff |
• Amenaza: Phishing
• Objetivo: Clientes de CSS
• Método: Suplantación de identidad y recopilación de PII
• Exfil: ./lx/send_date.php
• Indicadores: Discordancia de dominio, solicitud de PII, ofuscación.
• Riesgo: Alto
The attacker is trying to collect date of birth information, possibly for account takeover or other attacks.
The site mimics the appearance of CSS to deceive users.
User fills <input name=username> → submitForm() → fetch(http://atom-moustiques.com/ch/ui/app/auth/flow/mycss-login/ext/geburtsdatum_files/ruxitagentjs_ICA2NVfgjqru_10281231207105659.js) → credentials sent to endpoint
User fills <input name=username> → submitForm() → fetch(http://atom-moustiques.com/ch/ui/app/auth/flow/mycss-login/ext/geburtsdatum_files/ruxitagentjs_ICA2NVfgjqru_10281231207105659.js) → credentials sent to endpoint
ruxitagentjs_ICA2NVfgjqru_10281231207105659.jssendDatasubmitFormPages with identical visual appearance (based on perceptual hash)
Found 10 other scans for this domain