# PhishDestroy threat dossier — compassionate-plans-884289.framer.app ================================================================ Fetched: 2026-05-17 04:18:22 UTC Canonical: https://phishdestroy.io/domain/compassionate-plans-884289.framer.app/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 47/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 11/95 security vendors flagged this domain Flagging vendors: ADMINUSLabs, BitDefender, ESET, Emsisoft, Fortinet, G-Data, Kaspersky, LevelBlue, Netcraft, OpenPhish, Phishtank URLQuery: 2 detections ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 31.43.161.6 (NL, Amsterdam) ASN: AS16509 Amazon.com, Inc. Hosting org: Framer B.V Registrar: REGISTRAR_NOT_FOUND Nameservers: NS_NOT_FOUND Registered: 2026-05-17 Page title: Saissie de votre identifiant orange HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E8 Expires: 2026-07-06 Status: INVALID chain Fingerprint: a56001ff73b2e769ad9c3294e0330f0155d40d0a6c11de79e1b100ffba8ac44c ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-17 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-17 03:32:48 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-05-17 00:33:35 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-05-17 06:04:03 UTC Current status: ACTIVE / observable Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e3357-b745-75ae-8e72-66bbe7ef1a39/ URLQuery: https://urlquery.net/report/e939b996-69a2-4d0a-9112-97a96f303190 Wayback Machine: https://web.archive.org/web/*/compassionate-plans-884289.framer.app crt.sh CT logs: https://crt.sh/?q=%25.compassionate-plans-884289.framer.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=compassionate-plans-884289.framer.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/compassionate-plans-884289.framer.app URLhaus: https://urlhaus.abuse.ch/host/compassionate-plans-884289.framer.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-17 03:33:45 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] compassionate-plans-884289.framer.app has been identified as an active credential theft domain designed to mimic a legitimate service and harvest user login credentials. This Framer-hosted page employs deceptive tactics, including fake login forms, to trick visitors into submitting sensitive information such as usernames, passwords, or financial data. The site leverages social engineering by appearing as a reputable platform, aiming to capture credentials and enable further account compromise or identity theft. Users visiting this domain risk immediate exposure of their login details, which may be reused across multiple accounts or exploited in follow-on attacks. PhishDestroy’s analysis confirms this threat through multiple technical indicators. The domain resolves to IP address 31.44.161.6 and is secured with a Let’s Encrypt SSL certificate, which falsely enhances its legitimacy. According to VirusTotal, the domain is flagged by 11 out of 95 security vendors, indicating widespread detection but not universal blocking. The site is hosted on the Framer platform, a legitimate website builder, which has been abused to deploy phishing content quickly and at scale. While specific creation or registration details are not provided, the presence of an active SSL certificate and low VT coverage suggests this campaign is relatively new or has evaded detection through obfuscation. If you have visited compassionate-plans-884289.framer.app and entered any login credentials, immediately change the password on the real service and enable multi-factor authentication where available. Scan your device with updated antivirus software for potential malware. Avoid reusing passwords across different accounts, especially if the same email or username was used during login. Report the domain to your organization’s security team or the platform being impersonated. Consider using a password manager to detect and prevent reuse of compromised credentials. Stay vigilant for unexpected account activity, phishing emails, or unauthorized transactions. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260517-DD0529 Favicon MD5: 602255d135fef202058c7d5eada03dcc TLS cert SHA-256: a56001ff73b2e769ad9c3294e0330f0155d40d0a6c11de79e1b100ffba8ac44c ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/compassionate-plans-884289.framer.app/ JSON API: https://api.destroy.tools/v1/check?domain=compassionate-plans-884289.framer.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 150,473 domains (27,148 alive under monitoring, 123,046 confirmed takedowns/dead). Site: https://phishdestroy.io