# new-lehjrecomstart.pages.dev — SUSPICIOUS

> New-lehjrecomstart.pages.dev is a fake recommerce phishing site hosted on Cloudflare's network. Google Safe Browsing already flags this domain for social.

## Summary
PhishDestroy identifies new-lehjrecomstart.pages.dev as an active fake recommerce phishing domain posing as a legitimate second-hand marketplace. This site employs social engineering tactics to trick users into disclosing payment details or account credentials under the guise of buying or selling items. The landing page mimics popular recommerce platforms, luring victims with fake listings and fabricated promotions to harvest sensitive data. Once submitted, user information is exfiltrated to attacker-controlled servers, enabling credential theft, financial fraud, or identity compromise. The domain abuses Cloudflare Pages to rapidly deploy and rotate infrastructure, evading traditional blocklists during its early operational phase.  This domain was flagged by Google Safe Browsing for SOCIAL_ENGINEERING and currently resolves to IP 188.114.96.3. It shows zero detections on VirusTotal (0/95 engines) despite active abuse, indicating a low-profile but high-impact threat. Registered through Cloudflare, Inc., the site leverages a valid Google Trust Services SSL certificate to appear legitimate and gain user trust. Its Pages.dev subdomain structure enables rapid deployment cycles, making it difficult for security tools to maintain up-to-date blocklists. The combination of zero detection, active Google flagging, and Cloudflare hosting suggests a newly activated campaign with potential for rapid expansion.  Users who visited new-lehjrecomstart.pages.dev should immediately check browser history and avoid interacting with any pop-ups or prompts. If credentials were entered, change passwords on all connected accounts—especially financial or email services—and enable two-factor authentication. Run a full antivirus scan and review recent transactions for unauthorized activity. Report the domain to your organization's SOC or to Google Safe Browsing via their report page. Block the IP 188.114.96.3 at the network perimeter and update firewall rules to prevent further access. Remain vigilant for follow-on phishing attempts using similar social engineering lures.

## Threat Details
- Verdict: SUSPICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: Cloudflare, Inc.
- IP: 188.114.96.3

## Detection Status
- VirusTotal: 0 vendors flagged
- Google Safe Browsing: FLAGGED
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/1f1414f0-8034-4950-817b-49f9db59ad07
- PhishDestroy: https://phishdestroy.io/domain/new-lehjrecomstart.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/new-lehjrecomstart.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/new-lehjrecomstart.pages.dev/
Last updated: 2026-03-22