EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of xenluck.com

Información de Detección

https://xenluck.com/
Detected Brand
Plinko Originals (Gambling Platform)
Country
International
Confianza
100%
HTTP Status
200
Report ID
ea6297b3-ff2…
Analyzed
2026-02-08 18:40

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T176E22AB49230D335B1C24BE8DA6425287A5FE1DCD3C695B4E388AF51B0D6CE8D9260CF
CONTENT ssdeep
384:4rAneuATQRhiXkdvNTDhPhLxeAxeDWNW1Tp34PxeeJEmuW3AskmRWcMd:4rAneu5hhPhleMeDGCSPxeeWmHhW

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
c0703d9f4fbc6849
VISUAL aHash
8066e0e070fe7e20
VISUAL dHash
3ccc8aabcbccecc1
VISUAL wHash
8066e66078fe7f60
VISUAL colorHash
30000000038
VISUAL cropResistant
3ccc8aabcbccecc1

Análisis de Código

Risk Score 100/100
Nivel de Amenaza ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info
WebSocket C2

🔬 Threat Analysis Report

• Amenaza: Ataque de phishing
• Objetivo: Usuarios de Plinko Originals
• Método: Recopilación de credenciales a través de un formulario de registro falso.
• Exfil: wss://gambler-work.com/api/ws
• Indicadores: Edad del dominio, ofuscación, formulario de registro.
• Riesgo: Alto

🔒 Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • base64_strings

🎯 Kit Endpoints

  • http://developers.facebook.com/policy/].
  • https://xenluck.com/_next/static/chunks/92148-6f19ac7166461fa8.js
  • https://xenluck.com/_next/static/chunks/49080-aa8410705e183b35.js
  • https://qa.meldcrypto.com/
  • https://xenluck.com/_next/static/chunks/36860-0a9464d566324679.js
  • https://connect.facebook.net/en_US/fbevents.js
  • http://localhost:3001
  • https://xenluck.com/_next/static/chunks/app/(auth)/layout-2f72bfb00bd0ee9b.js
  • https://xenluck.com/_next/static/chunks/58172-2e2ad5efca352ade.js
  • https://xenluck.com/_next/static/chunks/4bd1b696-ad7506e6ce5b48e8.js
  • https://gambler-work.com/api
  • https://gambler-work.com/payser
  • https://xenluck.com/_next/static/chunks/56060-72611dc1ca384f99.js
  • https://xenluck.com/_next/static/chunks/63712-08d55a4030f898f7.js
  • https://react.dev/errors/
  • https://xenluck.com/_next/static/chunks/58733-c5eff74fea05461f.js
  • https://guarda.com/buy/
  • https://www.facebook.com/privacy_sandbox/topics/registration/
  • https://www.facebook.com/tr/
  • https://xenluck.com/_next/static/chunks/31684-5738d0dfaad74be8.js
  • https://exchange.mercuryo.io/
  • https://ramp.network/buy
  • https://changelly.com/buy-crypto
  • https://openocean.banxa.com/
  • https://www.moonpay.com/buy/btc
  • https://nextjs.org/docs/messages/react-hydration-error
  • https://xenluck.com/_next/static/chunks/53331-ed5951db58e70abe.js
  • https://changenow.io/buy/bitcoin
  • https://xenluck.com/_next/static/chunks/app/layout-2344be9881d79b44.js
  • https://xenluck.com/_next/static/chunks/app/not-found-e862b646e1cb1951.js

📡 API Calls Detected

  • GET
  • POST

📊 Desglose de Puntuación de Riesgo

Total Risk Score
90/100

Contributing Factors

Domain Age
Domain age is recent (92 days), making it more likely to be malicious.
JavaScript Obfuscation
Obfuscated code indicates an attempt to hide malicious intent.
Registration Form
Requesting email and password is a strong indicator of credential harvesting.
Impersonation
Attempting to impersonate a legitimate service is a high-risk activity.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza
Banking Credential Harvester
Objetivo
Plinko Originals (Gambling Platform) users (International)
Método de Ataque
Brand impersonation + real-time WebSocket exfiltration + obfuscated JavaScript
Canal de Exfiltración
WebSocket (1 endpoints)
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with WebSocket (1 endpoints)

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 147 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand
Plinko Originals
Fake Service
Gambling registration

Fraudulent Claims

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The site uses a fake registration form to collect user email and password credentials, likely to be used for account takeover or sold on the dark web. The site is related to gambling.

Secondary Method: JavaScript Obfuscation

JavaScript is obfuscated to hide malicious behavior from basic analysis, likely to exfiltrate data, bypass security tools, or redirect to a malicious site. The obfuscation uses atob, eval, and fromCharCode.

🌐 Indicadores de Compromiso de Infraestructura

🦠 Malicious Files

Main File
fbevents.js
File Size

🔬 JavaScript Deep Analysis

Operator Language
English (1%)
Sophistication Level
Basic
Total Code Size
1017,1 KB

🔗 API Endpoints Detected

Other
25
Backend API
1
WebSocket (Real-time)
1

🔐 Obfuscation Detected

  • : Moderate
  • : Moderate
  • : Moderate
  • : None
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : None
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light
  • : Light

🤖 AI-Extracted Threat Intelligence

🎯 Malicious Files Identified

Main Drainer
fbevents.js
File Size
1018KB

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Unknown - Casino/Gambling related
https://belowin.com/
Feb 28, 2026
No screenshot
Plinko
https://bigwinner.click/
Ene 24, 2026
 Screenshot
Plinko
https://bigmoney.today/
Ene 24, 2026
 Screenshot
Plinko
https://joinbruck.com/
Ene 24, 2026
 Screenshot
Plinko
https://onuxgame.live
Ene 10, 2026
😰
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.