# PhishDestroy threat dossier — detran-es-govbr.vercel.app ================================================================ Fetched: 2026-05-01 07:44:51 UTC Canonical: https://phishdestroy.io/domain/detran-es-govbr.vercel.app/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/91 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.198.79.67 (US, Cleveland) ASN: AS16509 Amazon.com, Inc. Hosting org: CYPRESS COMMUNICATIONS, LLC Registrar: Vercel Inc. Nameservers: NS_NOT_FOUND Registered: 2026-04-25 Page title: Serviços DETRAN-ES Veículos HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WR1 Expires: 2026-05-27 Status: INVALID chain Fingerprint: 4b377d7d8e1770bbe1519b5896246c116ab3aea968434658b330f054f7ea4338 Subject Alternative Names (related infrastructure — often same operator): - vercel.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-25 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-25 12:02:35 UTC (by PhishDestroy tracker) Last verified: 2026-04-28 13:11:35 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dc3df-7955-70fa-a1d0-a6cedeac231d/ Wayback Machine: https://web.archive.org/web/*/detran-es-govbr.vercel.app crt.sh CT logs: https://crt.sh/?q=%25.detran-es-govbr.vercel.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=detran-es-govbr.vercel.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/detran-es-govbr.vercel.app URLhaus: https://urlhaus.abuse.ch/host/detran-es-govbr.vercel.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-25 12:03:07 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies active brand impersonation phishing targeting Brazil's Departamento Estadual de Trânsito do Espírito Santo (DETRAN-ES) via the deceptive domain detran-es-govbr.vercel.app. This domain leverages Vercel's hosting infrastructure to impersonate official government services, attempting to harvest sensitive user credentials under the guise of legitimacy. The campaign's sophistication lies in its abuse of legitimate cloud services (Vercel) and Google Trust Services SSL certificates, which may bypass traditional security filters that rely on domain reputation or certificate scrutiny. Initial analysis indicates this is part of a broader trend where threat actors exploit trusted cloud platforms to host spoofed government portals, particularly in regions with high digital government service adoption. This domain was flagged with a risk level of under_investigation but is assessed as HIGH due to its active status and direct impersonation of a regional government authority. Technical indicators include resolution to IP 216.198.79.67, an SSL certificate issued by Google Trust Services (commonly trusted by browsers), and 0 detections out of 95 on VirusTotal as of initial analysis. The domain is registered through Vercel Inc., a legitimate cloud platform provider, which complicates takedown efforts due to Vercel's acceptable use policies regarding impersonation. Notably, the domain does not appear on any major blocklists at the time of writing, and no trust score degradation was observed in initial scans. The combination of a deceptive naming convention (mimicking the official detran-es-gov.br domain), abuse of a reputable hosting provider, and absence of immediate detection flags suggests an elevated risk of successful credential theft among unsuspecting users. Mitigation steps for this credential theft campaign require a multi-layered approach. Users should immediately block access to detran-es-govbr.vercel.app at the network level (DNS sinkholing or firewall rules) and verify any DETRAN-ES communications directly through official channels (e.g., detran-es.gov.br). Organizations should deploy email filtering rules targeting domains with Vercel.app suffixes in government-themed lures, and implement browser security policies to flag or block sites with recently issued SSL certificates from lesser-known CAs (though Google Trust Services is trusted, its use in impersonation warrants scrutiny). Additionally, users interacting with Brazilian government services should enable multi-factor authentication (MFA) on all accounts and verify website URLs via official government portals before inputting credentials. Threat intelligence teams are advised to monitor for similar campaigns leveraging Vercel's infrastructure, as this tactic is increasingly prevalent in brand impersonation phishing. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 5c25dc4385fe5963f245c0f0dc98b4ca TLS cert SHA-256: 4b377d7d8e1770bbe1519b5896246c116ab3aea968434658b330f054f7ea4338 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/detran-es-govbr.vercel.app/ JSON API: https://api.destroy.tools/v1/check?domain=detran-es-govbr.vercel.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io