# PhishDestroy threat dossier — bestagentnearme.wpcomstaging.com ================================================================ Fetched: 2026-06-26 16:27:10 UTC Canonical: https://phishdestroy.io/domain/bestagentnearme.wpcomstaging.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 74/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 3/91 security vendors flagged this domain Flagging vendors: CRDF, Gridinsoft, PhishFort Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 192.0.78.20 Registrar: MarkMonitor, Inc. Nameservers: ns1.automattic.com, ns2.automattic.com, ns3.automattic.com Registered: 2026-06-11 Expires: 2027-04-26 Page title: bestagentnearme ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-07-29 Status: INVALID chain Fingerprint: d4c6443341d6184c2b9ccf58e8f875446e547725590456a7210def84eef57863 Subject Alternative Names (related infrastructure — often same operator): - wpcomstaging.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-11 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-11 17:48:27 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-06-11 15:49:25 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-06-26 18:17:04 UTC Neutralised: 2026-06-17 00:33:22 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019eb75e-1984-74bb-a9be-e5504df902f0/ URLQuery: https://urlquery.net/report/54e69374-4f6f-4ea7-820d-caee2931f61e Wayback Machine: https://web.archive.org/web/*/bestagentnearme.wpcomstaging.com crt.sh CT logs: https://crt.sh/?q=%25.bestagentnearme.wpcomstaging.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=bestagentnearme.wpcomstaging.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/bestagentnearme.wpcomstaging.com URLhaus: https://urlhaus.abuse.ch/host/bestagentnearme.wpcomstaging.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 23:43:31 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, bestagentnearme.wpcomstaging.com, is identified as a fraudulent site impersonating legitimate real estate or insurance agents to deceive visitors. The site likely presents itself as a directory or service provider, luring users into submitting personal details, payment information, or downloading malicious files under false pretenses. Such schemes often exploit trust in professional services to harvest sensitive data for identity theft, financial fraud, or further phishing campaigns. The threat is particularly insidious due to its plausible branding and targeted approach, increasing the likelihood of successful deception. Analysis indicates this domain was created on June 11, 2026, an anomalous future date suggesting an attempt to obscure its true registration timeline. It is registered through MarkMonitor, Inc., a registrar commonly used for both legitimate and malicious domains. Infrastructure analysis reveals the domain resolves to the IP address 192.0.78.20 and uses a Let’s Encrypt SSL certificate, which provides encryption but does not validate legitimacy. Security vendors have flagged this domain, with 3 out of 95 engines on VirusTotal detecting it as malicious. Additionally, it appears on two security blocklists and has been proactively blocked by at least two threat intelligence platforms, further confirming its elevated risk status. If you visited bestagentnearme.wpcomstaging.com or interacted with its content, immediate action is required. First, disconnect the affected device from the internet to prevent potential data exfiltration. Run a full system scan using updated security software to detect and remove any malware or unwanted programs. Change passwords for any accounts accessed on the device, prioritizing financial, email, and sensitive service logins. Monitor bank statements and credit reports for unauthorized activity, and consider placing a fraud alert with relevant agencies. Report the incident to local cybersecurity authorities or consumer protection organizations to aid in tracking and mitigating the threat. Avoid re-engaging with the domain or similar sites, and verify the authenticity of any service provider through official channels before sharing personal or financial information. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260611-EFFEB3 Favicon MD5: f1b192a0d533d4a7d891a5f28b00c90e TLS cert SHA-256: d4c6443341d6184c2b9ccf58e8f875446e547725590456a7210def84eef57863 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/bestagentnearme.wpcomstaging.com/ JSON API: https://api.destroy.tools/v1/check?domain=bestagentnearme.wpcomstaging.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,544 domains (12,283 alive under monitoring, 157,877 confirmed takedowns/dead). Site: https://phishdestroy.io