# PhishDestroy threat dossier — facebook.kleinanzeig.blog ================================================================ Fetched: 2026-05-01 07:15:49 UTC Canonical: https://phishdestroy.io/domain/facebook.kleinanzeig.blog/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 67/100 (PhishDestroy scoring — see methodology below) Scam classification: Impersonation Targeted brand: Facebook ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 0/94 security vendors flagged this domain ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.203.61 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: Global Domain Group LLC Nameservers: ["kellen.ns.cloudflare.com", "magdalena.ns.cloudflare.com"] Registered: 2026-04-02 HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: none Status: INVALID chain ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-02 18:39:02 UTC (by PhishDestroy tracker) Earliest abuse rec: 2026-04-02 15:39:49 UTC — PREDATES current WHOIS registration; retained from a previous registration cycle of the same domain name Last verified: 2026-04-24 07:40:13 UTC Neutralised: 2026-04-03 01:51:40 UTC Current status: taken down (registrar suspended or DNS dead) Note: one or more events above predate the WHOIS creation date. This typically means the same domain name was previously registered, detected, dropped, and then re-registered by a new party. PhishDestroy preserves the full historical record for operator-attribution research even when the underlying infrastructure changes hands. ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019d4ed8-470d-7638-ae82-7130b7f59cd7/ URLQuery: https://urlquery.net/report/853215de-21cb-4170-836d-906021b4032e Wayback Machine: https://web.archive.org/web/*/facebook.kleinanzeig.blog crt.sh CT logs: https://crt.sh/?q=%25.facebook.kleinanzeig.blog Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=facebook.kleinanzeig.blog AlienVault OTX: https://otx.alienvault.com/indicator/domain/facebook.kleinanzeig.blog URLhaus: https://urlhaus.abuse.ch/host/facebook.kleinanzeig.blog/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-02 18:39:43 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies facebook.kleinanzeig.blog as an active brand-impersonation scam that masquerades as Facebook to steal login credentials and personal data. The malicious domain leverages a lookalike subdomain path to mimic the genuine Facebook brand, tricking visitors into entering their credentials under false pretenses. Any information submitted on this page is routed to attacker-controlled servers, enabling account takeover and subsequent identity theft or financial fraud. Because the site appears to be an official Facebook service at first glance, users may unknowingly compromise their accounts without realizing the deception until it is too late. Social engineering tactics such as urgency or fake “security alerts” amplify the risk, increasing the likelihood of user interaction and data surrender. Early detection and avoidance are critical to preventing long-term harm to personal and professional digital identities. This domain was flagged independently by PhishDestroy after routine monitoring detected a newly registered impersonation site targeting Facebook. According to verified telemetry, the domain facebook.kleinanzeig.blog was created on April 01, 2026 through Global Domain Group LLC, resolving to IP 172.67.203.61 and secured with a Let’s Encrypt SSL certificate. Despite zero detections on VirusTotal (0 out of 95 scanning engines as of latest scan), behavioral analysis reveals clear intent to mimic official Facebook interfaces. The site’s registrar choice and certificate issuance suggest opportunistic abuse of trusted mechanisms, making it harder for end-users to visually distinguish the scam from legitimate services. These technical indicators point to a rapidly deployed campaign designed to capitalize on brand recognition rather than sophisticated exploitation techniques. If you visited facebook.kleinanzeig.blog, immediately stop interacting and avoid entering any login details or personal information. Use a different device or secure network to change your Facebook password using the official website facebook.com. Enable two-factor authentication to add an extra layer of security. Scan your device for malware with trusted antivirus software and monitor your accounts for unusual activity. Report the scam to Facebook’s phishing team and file a complaint with your local cybercrime unit. Share this warning with friends and family to prevent further spread of this fraudulent scheme. Staying vigilant against similar brand-impersonation attempts is essential in protecting your digital identity and online safety. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260402-0AC652 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/facebook.kleinanzeig.blog/ JSON API: https://api.destroy.tools/v1/check?domain=facebook.kleinanzeig.blog Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io