EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of seguniao.pro

Informações de Detecção

https://seguniao.pro/inicio/01/?utm_source=google&utm_campaign=23546074452&utm_medium=194590480713&utm_content=796868565990&utm_term=::&keyword=&device=m&network=&gad_source=0&gad_campaignid=23546074452&gclid=Cj0KCQiA7rDMBhCjARIsAGDBuEBIxfFcbY--v0TQ58OBnFAjMdjEZcrvdpuUFJWM6de0XXRk1jYgA2kaAgK2EALw_wcB
Detected Brand
Nubank
Country
International
Confiança
100%
HTTP Status
200
Report ID
0887d6b0-9b1…
Analyzed
2026-02-12 00:44

Hashes de Conteúdo (Similaridade HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T11C32DB7072901ABB91CBD2E1B275AB5B72C8CB4BCA57D701A3F983845FC7C92DD48254
CONTENT ssdeep
192:EZLLSPaLKGHnC/EDwsTwaocZ4J3u5uxTRWAwzDfS:aL6QHnCsDwwZITJRWAwzDq

Hashes Visuais (Similaridade de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
b3333333c9cc6664
VISUAL aHash
e7e7e7ffe7e7ffff
VISUAL dHash
4d4d4d124c4d120a
VISUAL wHash
0707272f07072f3f
VISUAL colorHash
07200000030
VISUAL cropResistant
4d4d4d124c4d120a,33f4d989f9e5cdd9

Análise de Código

Risk Score 76/100
Nível de Ameaça ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Ameaça: Phishing
• Alvo: Clientes Nubank
• Método: Impersonação
• Exfil: Desconhecido
• Indicadores: Correspondência de domínio, ofuscação, personificação da marca.
• Risco: Alto

🔒 Obfuscation Detected

  • fromCharCode
  • unicode_escape

🎯 Kit Endpoints

  • https://evilmartians.com/chronicles/postcss-8-plugin-migration`),m.env.LANG&&m.env.LANG.startsWith(
  • https://tailwindcss.com/docs/content-configuration#safelisting-classes
  • https://tailwindcss.com`}),...e.nodes])},container:(()=
  • https://tailwindcss.com/docs/content-configuration
  • https://mths.be/cssesc
  • https://tailwindcss.com/docs/content-configuration#discarding-classes
  • https://tailwindcss.com/docs/upgrade-guide#prefix-cannot-be-a-function
  • https://tailwindcss.com/docs/upgrade-guide#configure-content-sources
  • https://tailwindcss.com/docs/using-with-preprocessors#nesting
  • https://seguniao.pro/inicio/01/js/B7PYnCHDexx2.js
  • https://cdn.tailwindcss.com
  • https://tailwindcss.com/docs/upgrade-guide#remove-dark-mode-configuration
  • https://www.w3ctech.com/topic/2226`));let
  • https://tailwindcss.com/docs/content-configuration#pattern-recommendations
  • https://twitter.com/browserslist
  • https://tailwindcss.com/docs/upgrade-guide#replace-variants-with-layer
  • https://tailwindcss.com/docs/installation

📡 API Calls Detected

  • POST

📊 Detalhamento da Pontuação de Risco

Total Risk Score
90/100

Contributing Factors

Domain Mismatch
The domain is not related to the legitimate brand Nubank.
Brand Impersonation
The site uses Nubank's branding and layout.
Obfuscation
Javascript obfuscation detected, indicating malicious intent.

🔬 Análise Integral de Ameaças

Tipo de Ameaça
Banking Credential Harvester
Alvo
Nubank users (International)
Método de Ataque
Brand impersonation + obfuscated JavaScript
Canal de Exfiltração
Form submission (backend endpoint not detected - likely JavaScript-based)
Avaliação de Risco
HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
  • 18 obfuscation techniques

🏢 Análise de Falsificação de Marca

Impersonated Brand
Nubank
Official Website
null
Fake Service
Personal Loan

Fraudulent Claims

⚔️ Metodologia de Ataque

Primary Method: Brand impersonation

The attacker creates a website that mimics the appearance of Nubank to deceive users into entering their credentials or other sensitive information.

🌐 Indicadores de Compromisso de Infraestrutura

🦠 Malicious Files

Main File
B7PYnCHDexx2.js
File Size

Functions: consultarCPF(), redirecionarParaChat(), processForm(), localStorage.setItem()

📊 Diagrama de Fluxo de Ataque

1. Step 1: User lands on page with UTM-tracked campaign links
2. Step 2: User clicks 'Ativar' or 'Simular' button to access CPF form
3. Step 3: User enters CPF (validated client-side only)
4. Step 4: User agrees to fake terms and conditions
5. Step 5: processForm() saves CPF to localStorage and calls consultarCPF()
6. Step 6: consultarCPF() sends CPF to '../../inicio/getData.php' via GET request
7. Step 7: Server responds with full personal data (name, mother's name, birth date, gender, CPF)
8. Step 8: Data is displayed to user to build trust and stored in localStorage
9. Step 9: User clicks 'Confirmar' to trigger redirecionarParaChat()
10. Step 10: User is redirected to '../../inicio/02' with original query parameters (including UTM and CPF)
11. Step 11: Subsequent pages likely harvest banking credentials or other sensitive information

🔬 JavaScript Deep Analysis

Operator Language
Portuguese (1%)
Total Code Size
410,7 KB

🔗 API Endpoints Detected

Other
5

🔐 Obfuscation Detected

  • : Moderate
  • : None

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

1. Step 1: User lands on page with UTM-tracked campaign links
2. Step 2: User clicks 'Ativar' or 'Simular' button to access CPF form
3. Step 3: User enters CPF (validated client-side only)
4. Step 4: User agrees to fake terms and conditions
5. Step 5: processForm() saves CPF to localStorage and calls consultarCPF()
6. Step 6: consultarCPF() sends CPF to '../../inicio/getData.php' via GET request
7. Step 7: Server responds with full personal data (name, mother's name, birth date, gender, CPF)
8. Step 8: Data is displayed to user to build trust and stored in localStorage
9. Step 9: User clicks 'Confirmar' to trigger redirecionarParaChat()
10. Step 10: User is redirected to '../../inicio/02' with original query parameters (including UTM and CPF)
11. Step 11: Subsequent pages likely harvest banking credentials or other sensitive information

🎯 Malicious Files Identified

Main Drainer
B7PYnCHDexx2.js
File Size
~15KB
Malicious Functions
  • consultarCPF()
  • redirecionarParaChat()
  • processForm()
  • localStorage.setItem()

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Nubank
https://atendimento.portal-seucredito.com/
Jun 25, 2026
 Screenshot
Nubank
https://emprestimo-nu.com/inicio/01/
Fev 18, 2026
 Screenshot
Nubank
https://emprestimoliberado.com/inicio/01/
Fev 13, 2026
 Screenshot
Nubank
https://emprestimoliberado.com/aa/inicio/01/
Fev 12, 2026
 Screenshot
Nubank
https://nuudin.site/1/
Fev 12, 2026

Scan History for seguniao.pro

Found 3 other scans for this domain

😰
"Nunca pensei que aconteceria comigo"
Isso dizem os 2,3 milhões de vítimas a cada ano. Não espere para ser uma estatística.