# bellsouth-att-signing-1dd6db.webflow.io — MALICIOUS > Active credential theft site bellsouth-att-signing-1dd6db.webflow.io impersonates AT&T to harvest login details. Flagged by 14/95 VirusTotal vendors. ## Summary PhishDestroy identifies the domain bellsouth-att-signing-1dd6db.webflow.io as a live credential theft operation impersonating AT&T. The page leverages a fake authentication flow to trick users into submitting sensitive login credentials, making this a high-risk brand impersonation attack. The infrastructure relies on Webflow hosting, which has been abused to host phishing content due to its legitimate appearance. This domain was flagged by 14 out of 95 VirusTotal security vendors, indicating widespread detection. It resolves to IP 104.18.36.248, uses a Google Trust Services SSL certificate, and is listed by Google Safe Browsing under SOCIAL_ENGINEERING. The domain was registered recently and hosted on Webflow’s platform, which has become a common vector for low-effort but convincing phishing pages. The site remains active and poses a significant risk to AT&T customers. Users should avoid interacting with this domain and report it to their security teams. Immediate blocking at the network level is recommended. While the SSL certificate adds superficial legitimacy, the combination of low VT detection, Google flagging, and active deployment signals a persistent threat requiring urgent mitigation. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 104.18.36.248 ## Detection Status - VirusTotal: 14 vendors flagged - Google Safe Browsing: FLAGGED - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/bellsouth-att-signing-1dd6db.webflow.io - PhishDestroy: https://phishdestroy.io/domain/bellsouth-att-signing-1dd6db.webflow.io/ - LLM endpoint: https://phishdestroy.io/domain/bellsouth-att-signing-1dd6db.webflow.io/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/bellsouth-att-signing-1dd6db.webflow.io/ Last updated: 2026-04-08