# PhishDestroy threat dossier — facebook-seks-44.blogspot.com ================================================================ Fetched: 2026-07-10 15:24:18 UTC Canonical: https://phishdestroy.io/domain/facebook-seks-44.blogspot.com/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 83/100 (PhishDestroy scoring — see methodology below) Targeted brand: Facebook ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 10/95 security vendors flagged this domain Flagging vendors: BitDefender, ESET, Emsisoft, Fortinet, G-Data, LevelBlue, Lionic, Netcraft, Sophos, Webroot Public blocklists: listed on 3 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 142.251.127.132 (US, Mountain View) ASN: AS15169 Google LLC Hosting org: Google LLC Registrar: Google Blogger Nameservers: NS_NOT_FOUND HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WE2 Expires: 2026-09-14 Status: INVALID chain Fingerprint: dfa3f8ab89d00806a0e01ae992c457435d332b448a420a98535c94e570e0fa17 Subject Alternative Names (related infrastructure — often same operator): - blogspot.ae - blogspot.al - blogspot.am - blogspot.ba - blogspot.be - blogspot.bg - blogspot.ca - blogspot.ch - blogspot.cl - blogspot.co.at - blogspot.co.id - blogspot.co.il - blogspot.co.ke - blogspot.co.nz - blogspot.co.uk ... +55 more ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-10 14:28:35 UTC (by PhishDestroy tracker) Last verified: 2026-07-10 17:01:35 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4bff-8950-74bf-aca9-cf20efae87f3/ Wayback Machine: https://web.archive.org/web/*/facebook-seks-44.blogspot.com crt.sh CT logs: https://crt.sh/?q=%25.facebook-seks-44.blogspot.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=facebook-seks-44.blogspot.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/facebook-seks-44.blogspot.com URLhaus: https://urlhaus.abuse.ch/host/facebook-seks-44.blogspot.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-10 14:35:55 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, facebook-seks-44.blogspot.com, poses a high-risk brand impersonation threat targeting Facebook users. The site is designed to deceive visitors into entering legitimate credentials by presenting a counterfeit login interface, likely harvesting sensitive account information for unauthorized access or further malicious activity. The inclusion of suggestive terms in the subdomain suggests an attempt to exploit curiosity or urgency, increasing the likelihood of user engagement with the fraudulent page. Analysis indicates the domain is hosted on Google Blogger infrastructure, resolving to the IP address 142.251.127.132. It is registered through Google’s platform, which provides SSL certification via Google Trust Services, lending an appearance of legitimacy. However, technical indicators reveal significant red flags: VirusTotal reports that 10 out of 95 security vendors have flagged this domain as malicious. The domain remains active at the time of this assessment, with no evidence of takedown or remediation efforts. Users who have visited facebook-seks-44.blogspot.com or entered credentials on the site should immediately take corrective action. First, change the password for the affected Facebook account and any other platforms where identical or similar credentials may have been reused. Enable multi-factor authentication to add an additional layer of security. Monitor the account for unauthorized activity, such as unfamiliar posts, messages, or login attempts from unrecognized devices or locations. If financial or personally identifiable information was entered, consider reporting the incident to relevant authorities and monitoring for signs of identity theft or fraud. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: d7fc1da3f0d85bd1777c84d42b1db20b TLS cert SHA-256: dfa3f8ab89d00806a0e01ae992c457435d332b448a420a98535c94e570e0fa17 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/facebook-seks-44.blogspot.com/ JSON API: https://api.destroy.tools/v1/check?domain=facebook-seks-44.blogspot.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 177,104 domains (24,957 alive under monitoring, 152,147 confirmed takedowns/dead). Site: https://phishdestroy.io