# PhishDestroy threat dossier — phila.revenue-dc.cc ================================================================ Fetched: 2026-07-14 14:55:55 UTC Canonical: https://phishdestroy.io/domain/phila.revenue-dc.cc/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 17/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, LevelBlue, Lionic, SOCRadar, Sophos, VIPRE, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- Registered: 2026-06-12 HTTP response: 502 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-13 00:31:00 UTC (by PhishDestroy tracker) First reported: 2026-06-15 00:27:29 UTC (abuse notice filed) Last verified: 2026-07-14 16:20:45 UTC Neutralised: 2026-06-13 09:01:38 UTC Current status: taken down (registrar suspended or DNS dead) ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 21:47:16 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, phila.revenue-dc.cc, is assessed as an elevated-risk credential harvesting phishing site targeting municipal revenue systems. Analysis indicates the infrastructure is designed to mimic legitimate Philadelphia or District of Columbia tax portals, tricking users into submitting sensitive login credentials, payment details, or personally identifiable information (PII). The specific threat type—generic_phishing with a focus on local government impersonation—poses significant risks to both individual taxpayers and institutional data integrity, particularly if credentials are reused across platforms. Infrastructure analysis reveals multiple high-confidence indicators of malicious activity. The domain was registered on June 12, 2026, an unusually future-dated creation timestamp that may indicate automated or bulk registration tactics. VirusTotal detection rates show 17 out of 95 security engines flagging the domain as malicious, with heuristic and signature-based detections pointing to phishing templates. The domain appears on at least one security blocklist, and its current offline status suggests either takedown action or temporary deactivation to evade detection. No associated IP addresses or hosting providers are currently linked in public threat feeds, though historical DNS records may reveal transient infrastructure used during active campaigns. Mitigation requires a multi-layered approach tailored to credential harvesting threats. Network-level protections should include immediate blacklisting of the domain across all security gateways, firewalls, and DNS resolvers, with retrospective log analysis to identify any prior connections. Endpoint detection should prioritize behavioral rules for browser-based credential submission to untrusted domains, particularly those mimicking government URLs. User awareness programs must emphasize verification of URL structures—such as checking for legitimate top-level domains (.gov, .us) and HTTPS certificates issued to official entities—before entering credentials. Organizations handling municipal data should enforce multi-factor authentication (MFA) and monitor for anomalous login attempts from new geolocations or devices, as compromised credentials from this campaign may be used in subsequent lateral movement attacks. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/phila.revenue-dc.cc/ JSON API: https://api.destroy.tools/v1/check?domain=phila.revenue-dc.cc Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,567 domains (50,206 alive under monitoring, 128,361 confirmed takedowns/dead). Site: https://phishdestroy.io