# finance-estadao.sbs — SUSPICIOUS

> Investigation confirms finance-estadao.sbs impersonates Estadao brand for credential theft, active with 0/95 VirusTotal detections. Blocked by SEAL.

## Summary
PhishDestroy identifies finance-estadao.sbs as an active brand impersonation and credential theft campaign targeting Estadao users. The domain mimics the legitimate Brazilian news outlet to harvest login credentials and sensitive data. No crypto drainer kit is observed in the payload, indicating a focus on traditional account compromise rather than asset drainage. The threat actor leverages a lookalike domain to deceive victims into entering credentials under the guise of a 'secure authentication portal.'  

This domain was flagged with the following technical indicators: registered on March 31, 2026, through Dynadot LLC, resolving to IP 188.114.97.3. It employs a Let's Encrypt SSL certificate for credibility and currently shows 0/95 VirusTotal detections, with 1 security blocklist presence. The domain is actively blocked by SEAL, the enterprise security platform.  

Current status remains active but contained, with SEAL providing initial mitigation. Remaining risk includes potential credential harvesting if the block fails, and domain persistence via DNS cache poisoning or new blocklist entries. Users should avoid accessing the domain and report any suspicious login attempts to Estadao’s security team. Continuous monitoring is advised until the domain is sinkholed or taken offline.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registered: 2026-03-31 15:30:02
- Registrar: Dynadot LLC
- IP: 188.114.97.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 1 hits
  Lists: ["SEAL"]

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/domains/finance-estadao.sbs
- PhishDestroy: https://phishdestroy.io/domain/finance-estadao.sbs/
- LLM endpoint: https://phishdestroy.io/domain/finance-estadao.sbs/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/finance-estadao.sbs/
Last updated: 2026-04-04