# PhishDestroy threat dossier — purlotor.ca-paylc.vip ================================================================ Fetched: 2026-06-26 03:28:22 UTC Canonical: https://phishdestroy.io/domain/purlotor.ca-paylc.vip/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 57/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 11/91 security vendors flagged this domain Flagging vendors: BitDefender, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Lionic, SOCRadar, Sophos, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 172.67.172.223 Registrar: Gname.com Pte. Ltd. Nameservers: ["dion.ns.cloudflare.com", "laila.ns.cloudflare.com"] Registered: 2026-06-12 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-12 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-13 00:31:23 UTC (by PhishDestroy tracker) First reported: 2026-06-15 00:27:29 UTC (abuse notice filed) Last verified: 2026-06-26 04:20:34 UTC Neutralised: 2026-06-13 03:15:48 UTC Current status: taken down (registrar suspended or DNS dead) ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-13 10:02:15 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies purlotor.ca-paylc.vip as a fraudulent payment portal designed to steal financial credentials and sensitive personal information. This domain mimics legitimate payment gateways, tricking users into entering credit card details, login credentials, or other sensitive data under the guise of processing transactions. The site may also prompt users to download malicious attachments or authorize fraudulent transactions, leading to financial loss or identity theft. Evidence supporting this assessment includes a VirusTotal detection score of 11/95, indicating that no security vendors have flagged the domain at the time of analysis. The domain resolves to the IP address 172.67.172.223, which is associated with cloud-based hosting services often exploited by threat actors to obscure their operations. Additionally, the domain is currently offline, suggesting either takedown efforts or temporary deactivation by the attackers to evade detection. No blocklist records or registrar details were available at the time of this report, but the lack of prior detections does not diminish the risk posed by this site. Users who visited purlotor.ca-paylc.vip should take immediate action to secure their accounts and devices. First, disconnect any devices that accessed the site from the internet to prevent further data exfiltration. Next, change passwords for any accounts entered on the site, especially financial or email accounts, and enable multi-factor authentication where available. Monitor bank and credit card statements for unauthorized transactions, and consider placing a fraud alert or credit freeze with major credit bureaus. If any personal or financial information was submitted, report the incident to local authorities and platforms like the Canadian Anti-Fraud Centre or the FTC. Finally, scan devices for malware using reputable security software to ensure no malicious payloads were installed. [Updates since narrative was generated:] - Public blocklists: now listed on 1 feed ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/purlotor.ca-paylc.vip/ JSON API: https://api.destroy.tools/v1/check?domain=purlotor.ca-paylc.vip Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 170,049 domains (12,246 alive under monitoring, 157,244 confirmed takedowns/dead). Site: https://phishdestroy.io