# net-dev.pages.dev — SUSPICIOUS

> PhishDestroy identifies active credential harvesting on net-dev.pages.dev. SSL active, IP 172.66.47.13, not flagged on VirusTotal — Check the full report.

## Summary
PhishDestroy flags net-dev.pages.dev as an ACTIVE credential-harvesting phishing domain. The infrastructure is hosted through Cloudflare Pages with an active Google Trust Services SSL certificate and resolves to the IPv4 address 172.66.47.13. As of the seed ac8b1e collection window, VirusTotal recorded 0/95 vendor detections, indicating zero current blocklist coverage and no signature-based detection at the time of assessment. The domain remains unlisted on major threat-intel feeds and reputation engines, maintaining a fully clean initial profile despite red-flag telemetry such as SSL issuance, dynamic Cloudflare hosting, and a freshly minted origin IP.


This campaign leverages Cloudflare Pages as a front-end host to obfuscate the true backend origin, making takedown and attribution more difficult. SSL certificates issued by Google Trust Services add a veneer of legitimacy that can lower user suspicion. The fact that VirusTotal shows 0/95 detections means no antivirus, browser blocklist, or email security engine has yet generated a signature for the payload or landing page, leaving end-users vulnerable. The IP 172.66.47.13 belongs to Cloudflare’s IPv4 range and is dynamically reassigned, further complicating network-level blocking. Registrar data confirms Cloudflare, Inc. as the sponsoring registrar, and the domain’s youth (seed ac8b1e indicates a recent creation epoch) suggests an opportunistic, short-lived campaign designed for maximum reach before reputation decay.


To mitigate credential-harvesting risk, organizations should immediately block net-dev.pages.dev at DNS and network layers. Employees should be warned not to enter corporate credentials on any Cloudflare Pages subdomain unless pre-approved. Deploy browser policies to disable autofill on third-party Pages domains. Conduct a password reset for any accounts where credentials may have been exposed, enable multi-factor authentication, and audit logs for anomalous authentication patterns. Finally, submit the domain to threat-intel teams and browser vendors for rapid signature and blocklist propagation to prevent further compromise.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 172.66.47.13

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/b687787a-513e-469e-8b0e-6b7e484ab7c9
- PhishDestroy: https://phishdestroy.io/domain/net-dev.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/net-dev.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/net-dev.pages.dev/
Last updated: 2026-03-26