Detailed analysis of captured phishing page
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T13B147614FB0207C484F9BCD5949772E4A041CE2FA34A6597252F53F67CCACA63EA239D |
|
CONTENT
ssdeep
|
384:DHgJWIVlJTy4yLMiVH8z2IVvg/py2pLaQlmXBwJlVIXv4kcYbUo0Wo3mNKX:sJ/wS2AqpL0wTVIXv4+Uo0Wo3mN2 |
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b8396c3c316ccec5 |
|
VISUAL
aHash
|
81c3ffcfcf9fc3c3 |
|
VISUAL
dHash
|
3b1b001c1c2a3737 |
|
VISUAL
wHash
|
8181dfcfc79f8181 |
|
VISUAL
colorHash
|
06400030000 |
|
VISUAL
cropResistant
|
3b1b001c1c2a3737 |
Victim enters username and password into fake login form. Credentials are captured via JavaScript and exfiltrated to attacker's server in real-time.
Malicious code is obfuscated using 46 techniques to evade detection by security scanners and make reverse engineering more difficult.
1. Step 1: User lands on the spoofed DHL guest management portal ('secure.dhlguestmanagement.com')
2. Step 2: User enters login credentials (username/email and password) into the dynamically generated form
3. Step 3: Password complexity is validated client-side via SSSI.frontend.validatePW(), which sends the password to the backend for validation (AJAX POST to ControllerProxy.cfc)
4. Step 4: If MFA is enabled, the user is prompted to enter a phone number for verification code delivery
5. Step 5: SSSI.frontend.sendVerificationCode() sends the phone number to the backend, triggering an SMS with a verification code
6. Step 6: User enters the MFA code, which is captured and sent to the backend via SSSI.frontend.verifyMFA()
7. Step 7: If the user requests a resend of the MFA code, SSSI.frontend.loginResendVerificationCode() captures the updated phone number or MFA channel (SMS/WhatsApp)
8. Step 8: All captured data (credentials, phone numbers, MFA codes) is exfiltrated via AJAX POST requests to the attacker's ColdFusion backend
9. Step 9: The backend processes the data, likely storing it for later use or forwarding it to the attacker via email, Telegram, or another exfiltration channel
1. Step 1: User lands on the spoofed DHL guest management portal ('secure.dhlguestmanagement.com')
2. Step 2: User enters login credentials (username/email and password) into the dynamically generated form
3. Step 3: Password complexity is validated client-side via SSSI.frontend.validatePW(), which sends the password to the backend for validation (AJAX POST to ControllerProxy.cfc)
4. Step 4: If MFA is enabled, the user is prompted to enter a phone number for verification code delivery
5. Step 5: SSSI.frontend.sendVerificationCode() sends the phone number to the backend, triggering an SMS with a verification code
6. Step 6: User enters the MFA code, which is captured and sent to the backend via SSSI.frontend.verifyMFA()
7. Step 7: If the user requests a resend of the MFA code, SSSI.frontend.loginResendVerificationCode() captures the updated phone number or MFA channel (SMS/WhatsApp)
8. Step 8: All captured data (credentials, phone numbers, MFA codes) is exfiltrated via AJAX POST requests to the attacker's ColdFusion backend
9. Step 9: The backend processes the data, likely storing it for later use or forwarding it to the attacker via email, Telegram, or another exfiltration channel
webpackBundle_frontend.js?v=2.1.597SSSI.frontend.validatePW() - Validates password complexity against backend rulesSSSI.frontend.svalidatePasswords() - Compares password fields for consistencySSSI.frontend.sendVerificationCode() - Sends MFA verification codes to user-provided phone numbersSSSI.frontend.loginResendVerificationCode() - Resends MFA codes to capture updated credentialsSSSI.frontend.verifyMFA() - Submits MFA verification codes to the backendjQuery.ajax() - Used extensively to send captured credentials and MFA codes to the attacker's serverSSSI.frontend.togglePassword() - Toggles password visibility to enhance user experience and trustSSSI.util.updateModalButtons() - Manipulates modal dialogs to guide users through the phishing flowPages with identical visual appearance (based on perceptual hash)
Found 10 other scans for this domain