# goface.shop — MALICIOUS

> goface.shop is a social engineering phishing site; 8 of 95 security vendors flag it. Check the full report.

## Summary
PhishDestroy identifies goface.shop as an active social-engineering phishing domain that lures users into revealing personal or financial information under false pretenses. The site mimics a legitimate login portal or brand interface to trick visitors into entering credentials or payment details, which are then harvested by attackers for fraud or resale on underground markets. Visiting this domain may result in immediate account takeover, financial loss, or identity theft, especially if any data is entered during the session. In multiple independent tests, such as those performed by VirusTotal, goface.shop triggered warnings across 8 out of 95 security scanning engines, indicating widespread suspicion across the cybersecurity community. Google Safe Browsing further classifies this domain as engaging in social-engineering tactics, confirming its malicious intent rather than accidental misconfiguration.  This domain was flagged as part of routine threat intelligence operations and linked to a known seed identifier 104d91. goface.shop resolves to the IP address 104.21.24.69 and uses a valid but compromised Let’s Encrypt SSL certificate, which attackers often employ to appear legitimate and evade browser warnings. While the exact creation date is not disclosed in public records, the low detection ratio combined with active phishing behavior suggests this site was established recently and operationalized quickly to avoid longer-term reputation tracking. Registrar data indicates the domain is hosted under a privacy-protected or bulk-registration service, a common tactic used to obscure the true ownership and prolong malicious operations.  If you have visited goface.shop, immediately cease any interaction with the site and avoid entering any login credentials, payment information, or personal details. Do not click any links from the page, even if they appear to offer help or security updates. Scan your device using updated antivirus software to detect any potential malware that may have been downloaded during the visit. Change passwords for any accounts where you might have reused credentials, especially those related to email, banking, or social media. Enable two-factor authentication on critical accounts and monitor financial statements for signs of unauthorized transactions. Report the domain to your internet service provider or local cybercrime unit if possible, and warn others who may have been targeted.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 104.21.24.69

## Detection Status
- VirusTotal: 8 vendors flagged
- Google Safe Browsing: FLAGGED
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/c220dcc5-e3fa-408e-abc0-f4275db88656
- PhishDestroy: https://phishdestroy.io/domain/goface.shop/
- LLM endpoint: https://phishdestroy.io/domain/goface.shop/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/goface.shop/
Last updated: 2026-03-21