EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of webprotalapp.ghost.io

Informações de Detecção

https://webprotalapp.ghost.io/ledgelive-begin/
Detected Brand
Ledger
Country
International
Confiança
100%
HTTP Status
200
Report ID
e434c328-4ec…
Analyzed
2026-01-26 05:43

Hashes de Conteúdo (Similaridade HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T159A2B337A7406B3D4B62039DBA67278EB367518DE6CE09D0E2FDC23E1291D91C536C92
CONTENT ssdeep
384:6SiYnE93lKOAiEGbGb2T/35UKgx6mf6JYs2KWlhSD9jAmfCG:6SiYEhv/viKgqKwA8t

Hashes Visuais (Similaridade de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
b0da42cacacece9a
VISUAL aHash
fdc7c7c7c7c3c7c7
VISUAL dHash
491c1e0e1e0e0e0e
VISUAL wHash
a1c7c3c3c3c3c3c3
VISUAL colorHash
07000000007
VISUAL cropResistant
491c1e0e1e0e0e0e

Análise de Código

Risk Score 76/100
Nível de Ameaça ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Ameaça: Página de phishing que imita a Ledger
• Alvo: Usuários de carteiras de criptomoedas Ledger
• Método: Página falsa de download do Ledger Live
• Exfil: Possível coleta de dados via formulário de inscrição
• Indicadores: Domínio não coincidente, hospedagem gratuita, JavaScript ofuscado
• Risco: ALTO - Possível distribuição de malware ou roubo de credenciais

🔒 Obfuscation Detected

  • fromCharCode
  • base64_strings

📡 API Calls Detected

  • POST
  • https://ghost.org

📊 Detalhamento da Pontuação de Risco

Total Risk Score
100/100

Contributing Factors

Active Phishing Kit
Detected multiple phishing kit types: Credential Harvester, OTP Stealer, Card Stealer, and Banking kits.
High Obfuscation
20 obfuscation techniques detected, indicating deliberate evasion of detection.
Brand Impersonation
Targeting Ledger, a high-value cryptocurrency hardware wallet brand, increasing likelihood of successful compromise.
Malicious JavaScript Files
Presence of suspicious JavaScript files (cards.min.js, member-attribution.min.js, ghost-stats.min.js) with potential malicious functionality.

🔬 Análise Integral de Ameaças

Tipo de Ameaça
Banking Credential Harvester
Alvo
Ledger users (International)
Método de Ataque
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Canal de Exfiltração
Unknown
Avaliação de Risco
HIGH - Automated credential harvesting with Unknown

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 20 obfuscation techniques

🏢 Análise de Falsificação de Marca

Impersonated Brand
Ledger
Official Website
https://www.ledger.com
Fake Service
Ledger wallet verification or account recovery

⚔️ Metodologia de Ataque

Primary Method: Crypto Wallet Credential Harvesting

The phishing kit impersonates Ledger's official portal to trick users into entering their wallet recovery phrases or private keys. The Credential Harvester component captures input in real-time and transmits it to an attacker-controlled server.

Secondary Method: OTP and Card Data Theft

The OTP Stealer and Card Stealer components are designed to intercept one-time passwords and credit card details, likely targeting users who may link payment methods to their crypto wallets for purchases or withdrawals.

🌐 Indicadores de Compromisso de Infraestrutura

Domain Information

Domínio
webprotalapp.ghost.io
Registered
2011-10-01 23:06:09+00:00
Registrar
1API GmbH
Estado
Active (5230 days old)

🦠 Malicious Files

Main File
File Size

Contains obfuscated code with potential credential harvesting or data exfiltration functionality.

📊 Diagrama de Fluxo de Ataque

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE AUTHENTICATION                                   │
│    - Spoofed login interface presented                   │
│    - User prompted for wallet credentials                │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User input collected via web form                   │
│    - Data temporarily stored client-side                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
100,0 KB

🔗 API Endpoints Detected

Other
4

🔐 Obfuscation Detected

  • : None
  • : None
  • : Light
  • : Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE AUTHENTICATION                                   │
│    - Spoofed login interface presented                   │
│    - User prompted for wallet credentials                │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User input collected via web form                   │
│    - Data temporarily stored client-side                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘
```

🎯 Malicious Files Identified

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Ledger
https://webprotalapp.ghost.io/ledgelive-begin/
Jan 26, 2026
 Screenshot
Ledger
https://webprotalapp.ghost.io/ledgelive-connect/
Jan 24, 2026
 Screenshot
Ledger
https://webprotalapp.ghost.io/ledgelive-connect/
Jan 23, 2026

Scan History for webprotalapp.ghost.io

Found 10 other scans for this domain

😰
"Nunca pensei que aconteceria comigo"
Isso dizem os 2,3 milhões de vítimas a cada ano. Não espere para ser uma estatística.