EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of webprotalapp.ghost.io

Información de Detección

https://webprotalapp.ghost.io/ledgelive-begin/
Detected Brand
Ledger
Country
International
Confianza
100%
HTTP Status
200
Report ID
e434c328-4ec…
Analyzed
2026-01-26 05:43

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T159A2B337A7406B3D4B62039DBA67278EB367518DE6CE09D0E2FDC23E1291D91C536C92
CONTENT ssdeep
384:6SiYnE93lKOAiEGbGb2T/35UKgx6mf6JYs2KWlhSD9jAmfCG:6SiYEhv/viKgqKwA8t

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
b0da42cacacece9a
VISUAL aHash
fdc7c7c7c7c3c7c7
VISUAL dHash
491c1e0e1e0e0e0e
VISUAL wHash
a1c7c3c3c3c3c3c3
VISUAL colorHash
07000000007
VISUAL cropResistant
491c1e0e1e0e0e0e

Análisis de Código

Risk Score 76/100
Nivel de Amenaza ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Página de phishing que suplanta a Ledger
• Objetivo: Usuarios de billeteras de criptomonedas Ledger
• Método: Página falsa de descarga de Ledger Live
• Exfil: Posible recolección de datos a través del formulario de suscripción
• Indicadores: Dominio no coincidente, hosting gratuito, JavaScript ofuscado
• Riesgo: ALTO - Posible distribución de malware o robo de credenciales

🔒 Obfuscation Detected

  • fromCharCode
  • base64_strings

📡 API Calls Detected

  • POST
  • https://ghost.org

📊 Desglose de Puntuación de Riesgo

Total Risk Score
100/100

Contributing Factors

Active Phishing Kit
Detected multiple phishing kit types: Credential Harvester, OTP Stealer, Card Stealer, and Banking kits.
High Obfuscation
20 obfuscation techniques detected, indicating deliberate evasion of detection.
Brand Impersonation
Targeting Ledger, a high-value cryptocurrency hardware wallet brand, increasing likelihood of successful compromise.
Malicious JavaScript Files
Presence of suspicious JavaScript files (cards.min.js, member-attribution.min.js, ghost-stats.min.js) with potential malicious functionality.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza
Banking Credential Harvester
Objetivo
Ledger users (International)
Método de Ataque
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Canal de Exfiltración
Unknown
Evaluación de Riesgo
HIGH - Automated credential harvesting with Unknown

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 20 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand
Ledger
Official Website
https://www.ledger.com
Fake Service
Ledger wallet verification or account recovery

⚔️ Metodología de Ataque

Primary Method: Crypto Wallet Credential Harvesting

The phishing kit impersonates Ledger's official portal to trick users into entering their wallet recovery phrases or private keys. The Credential Harvester component captures input in real-time and transmits it to an attacker-controlled server.

Secondary Method: OTP and Card Data Theft

The OTP Stealer and Card Stealer components are designed to intercept one-time passwords and credit card details, likely targeting users who may link payment methods to their crypto wallets for purchases or withdrawals.

🌐 Indicadores de Compromiso de Infraestructura

Domain Information

Dominio
webprotalapp.ghost.io
Registered
2011-10-01 23:06:09+00:00
Registrar
1API GmbH
Estado
Active (5230 days old)

🦠 Malicious Files

Main File
File Size

Contains obfuscated code with potential credential harvesting or data exfiltration functionality.

📊 Diagrama de Flujo de Ataque

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE AUTHENTICATION                                   │
│    - Spoofed login interface presented                   │
│    - User prompted for wallet credentials                │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User input collected via web form                   │
│    - Data temporarily stored client-side                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
100,0 KB

🔗 API Endpoints Detected

Other
4

🔐 Obfuscation Detected

  • : None
  • : None
  • : Light
  • : Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE AUTHENTICATION                                   │
│    - Spoofed login interface presented                   │
│    - User prompted for wallet credentials                │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User input collected via web form                   │
│    - Data temporarily stored client-side                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘
```

🎯 Malicious Files Identified

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Ledger
https://webprotalapp.ghost.io/ledgelive-begin/
Ene 26, 2026
 Screenshot
Ledger
https://webprotalapp.ghost.io/ledgelive-connect/
Ene 24, 2026
 Screenshot
Ledger
https://webprotalapp.ghost.io/ledgelive-connect/
Ene 23, 2026

Scan History for webprotalapp.ghost.io

Found 10 other scans for this domain

😰
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.