# dps-voting.pages.dev — SUSPICIOUS

> dps-voting.pages.dev impersonates DHL for credential theft. This active phishing site bypasses 95 scanners with 0/95 VirusTotal detections.

## Summary
PhishDestroy identifies dps-voting.pages.dev as an active credential-harvesting domain masquerading as a DHL voting portal. The infrastructure leverages Cloudflare Pages to host a spoofed DHL-themed phishing kit designed to steal user credentials under the guise of a shipping survey or verification process. No specific drainer kit variant is confirmed at this stage, but the page structure suggests exfiltration of entered credentials via HTTPS POST to a backend controlled by the threat actor. The domain does not appear to impersonate other major brands at this time, focusing instead on DHL branding to exploit trust in logistics communications.


This domain was flagged via automated threat intelligence feeds and exhibits the following technical indicators: VirusTotal detection score of 0/95 as of the latest scan, hosted on IP 172.66.47.22 through Cloudflare, Inc., and secured with a Google Trust Services SSL certificate. The domain was registered through Cloudflare’s Pages platform, which allows rapid deployment of static sites—ideal for short-lived phishing campaigns. While the exact creation date is not visible in public records, the site is currently active and serving content known to mimic official DHL correspondence. Google Safe Browsing (GSB) has not yet flagged the domain, and it remains absent from major blocklists at the time of analysis. The absence of detections suggests either a newly deployed campaign or one designed to evade signature-based detection.


The current operational status is ACTIVE, with the campaign ongoing as of the latest observation. PhishDestroy recommends immediate network-level blocking of dps-voting.pages.dev and its resolving IP (172.66.47.22) due to the confirmed threat of credential harvesting. Users should avoid accessing the domain and report it via their organization’s threat submission portal or to PhishDestroy’s abuse channel using seed e1aef9. While the risk of credential theft remains high due to the site’s active status and low detection coverage, the immediate threat can be mitigated through proactive blocking and user awareness campaigns emphasizing skepticism toward unexpected DHL-related communications. Continuous monitoring is advised, as this domain may be taken down or shift infrastructure rapidly.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.22

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/df4c0118-d04d-434b-923b-f44e4799a33c
- PhishDestroy: https://phishdestroy.io/domain/dps-voting.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/dps-voting.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/dps-voting.pages.dev/
Last updated: 2026-03-24