# PhishDestroy threat dossier — detran-es-brs.ghost.io ================================================================ Fetched: 2026-07-01 14:19:50 UTC Canonical: https://phishdestroy.io/domain/detran-es-brs.ghost.io/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 45/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/94 security vendors flagged this domain Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 146.75.123.7 (DE, Frankfurt am Main) ASN: AS54113 Fastly, Inc. Hosting org: Fastly, Inc Registrar: Ghost Registered: 2026-04-24 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R13 Expires: 2026-07-20 Status: INVALID chain Fingerprint: 945ad19eb3052071bd9ba191c24207b7b6a8ca8f6cee20f88f0e89b6a7f71cbc Subject Alternative Names (related infrastructure — often same operator): - ghost.io ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-24 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-24 21:30:09 UTC (by PhishDestroy tracker) First reported: 2026-06-15 00:27:29 UTC (abuse notice filed) Last verified: 2026-07-01 12:20:36 UTC Neutralised: 2026-04-26 21:20:37 UTC Current status: taken down (registrar suspended or DNS dead) ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 13:47:03 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The domain detran-es-brs.ghost.io is currently under investigation for posing a generic phishing threat. Although it is now offline, the potential risks associated with this domain necessitate a thorough analysis to understand its threat level and the nature of the phishing attempts. Analysis indicates that detran-es-brs.ghost.io was registered through the Ghost platform on April 24, 2026. The domain resolves to the IP address 146.75.123.7. VirusTotal, a widely used threat intelligence platform, has reported 0 out of 95 detections, suggesting that the domain has not been flagged by most security engines. However, the domain appears on one security blocklist, which is a concerning indicator. The SSL certificate for this domain is issued by Let's Encrypt, specifically under the R13 root certificate. Despite the lack of detections, the presence on a blocklist and the nature of the domain name, which mimics an official Brazilian government agency, warrant further scrutiny. To mitigate the risks associated with this domain, it is recommended that users avoid visiting or interacting with detran-es-brs.ghost.io until its status is fully confirmed. Security teams should monitor the domain for any signs of reactivation and consider adding it to internal blocklists. Additionally, users should be educated on the common tactics used in phishing campaigns, such as the use of deceptive domain names and the importance of verifying the authenticity of websites, especially those purporting to represent government entities. Regular updates to security software and maintaining a cautious approach to unsolicited communications can further reduce the likelihood of falling victim to phishing attempts. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 5c25dc4385fe5963f245c0f0dc98b4ca TLS cert SHA-256: 945ad19eb3052071bd9ba191c24207b7b6a8ca8f6cee20f88f0e89b6a7f71cbc ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/detran-es-brs.ghost.io/ JSON API: https://api.destroy.tools/v1/check?domain=detran-es-brs.ghost.io Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 173,494 domains (13,312 alive under monitoring, 159,499 confirmed takedowns/dead). Site: https://phishdestroy.io