SafeMode - Analysis: dkbing-banking.91-218-65-223.plesk.page

Captura Visual

Screenshot of dkbing-banking.91-218-65-223.plesk.page

Informações de Detecção

https://dkbing-banking.91-218-65-223.plesk.page/

Detected Brand

Plesk

Country

International

Confiança

100%

HTTP Status

200

Report ID

920d4e12-6d3…

Analyzed

2026-02-26 00:50

Final URL (after redirects)

https://dkbing-banking.91-218-65-223.plesk.page/login_up.php

Hashes de Conteúdo (Similaridade HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1AF92B6F2548CE57627039FD0F466BB15B39B65BEEB820700C26C83985FE7ED1D44988A
CONTENT ssdeep	384:KLJjYp8pe78xe8ITjKkrVjg1rTj3rrn1NWEGWPZ+gEbDP5p3OECCefdRhqHe1:KLJjW8pe78xe8I32f1BoZOCadRhqHe1

Hashes Visuais (Similaridade de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	cc662799319933b9
VISUAL aHash	0010001818181818
VISUAL dHash	726224b2b2b2b2b2
VISUAL wHash	0010181818181c1c
VISUAL colorHash	07007000080
VISUAL cropResistant	92a280b233a08e9e,726224b2b2b2b2b2

Análise de Código

Risk Score 85/100

Nível de Ameaça ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Ameaça: Phishing
• Alvo: Usuários do Plesk
• Método: Imitação através de uma página de login falsa.
• Exfil: Desconhecido, provavelmente para capturar credenciais de login.
• Indicadores: Incompatibilidade de domínio, JavaScript ofuscado, envio de formulário.
• Risco: ALTO

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
document.write
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

https://github.com/login/oauth/authorize?client_id=1c4da8e2ca643e96ea17&redirect_uri=https%3A%2F%2Fid.plesk.com%2Fredirect%2Fgithub-sign-in.html&scope=user%3Aemail&state=ph%2FGSgODM2KSSO27Qdb28STvRhgMTS36Fmb5M8dA%7Credirect-plesk%3Dhttps%253A%252F%252Fdkbing-banking.91-218-65-223.plesk.page%252Fmodules%252Fsocial-login%252Fpublic%252Flogin.php%253Fprovider%253Dgithub
${(0,m.default)(`/admin/report/download/file/${encodeURIComponent(n.file)}`)}
https://support.plesk.com/hc/en-us/articles/12377667582743-How-to-log-in-to-Plesk-
log-in
/modules/social-login/public/webauthn.js?1.10.5&18.0.76-1
/login_up.php?modals[cookie-policy-preferences]=true
/logout.php

📡 API Calls Detected

/admin/copilot/gen-answer
GET
/admin/copilot/stat
/modules/notifier/index.php/notifications

📊 Detalhamento da Pontuação de Risco

Total Risk Score

90/100

Contributing Factors

Suspicious Domain

The domain is not related to the brand.

Obfuscated JavaScript

Code obfuscation is a common technique used to hide malicious code.

Requests Credentials

The website asks for login credentials in a suspicious context.

🔬 Análise Integral de Ameaças

Tipo de Ameaça

Banking Credential Harvester

Alvo

Plesk users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltração

Form submission (backend endpoint not detected - likely JavaScript-based)

Avaliação de Risco

CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
105 obfuscation techniques

🏢 Análise de Falsificação de Marca

Impersonated Brand

Plesk and Living Bots

Official Website

null

Fake Service

Plesk Login

⚔️ Metodologia de Ataque

Primary Method: Credential Harvesting

The attacker attempts to steal user credentials by creating a fake login page that mimics the look and feel of the target service (Plesk). Users are tricked into entering their login details, which are then harvested by the attacker.