# PhishDestroy threat dossier — roanalacerda.com.br ================================================================ Fetched: 2026-07-09 16:33:14 UTC Canonical: https://phishdestroy.io/domain/roanalacerda.com.br/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: status_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 6/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Cluster25, Fortinet, Gridinsoft, MalwareURL, SOCRadar AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 162.241.63.71 (BR, Vinhedo) ASN: AS31898 Oracle Corporation Hosting org: Unified Layer Registrar: NEWFOLD Nameservers: ns1102.hostgator.com.br, ns1103.hostgator.com.br Registered: 2022-03-30 Expires: 2027-03-30 Page title: Not Acceptable! ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-09-02 Status: INVALID chain Fingerprint: f747e5b0f9ba61dcb5c74e49bb46de30aac95a149ce4bf446aaeb1176388745e ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2022-03-30 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-08 14:02:38 UTC (by PhishDestroy tracker) Last verified: 2026-07-09 16:20:37 UTC Neutralised: 2026-07-09 12:39:58 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4199-f626-76da-bea6-1ecd5f5e7868/ URLQuery: https://urlquery.net/report/8055fe51-bdca-4aac-9524-84a6fddb03b2 Wayback Machine: https://web.archive.org/web/*/roanalacerda.com.br crt.sh CT logs: https://crt.sh/?q=%25.roanalacerda.com.br Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=roanalacerda.com.br AlienVault OTX: https://otx.alienvault.com/indicator/domain/roanalacerda.com.br URLhaus: https://urlhaus.abuse.ch/host/roanalacerda.com.br/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-08 14:05:06 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, roanalacerda.com.br, is actively hosting a fake login portal designed to harvest user credentials. Analysis indicates the site mimics legitimate authentication pages, prompting visitors to enter sensitive information such as usernames, passwords, and potentially multi-factor authentication codes. The objective is to capture and exfiltrate credentials for unauthorized access to personal accounts, financial services, or corporate systems. The risk is elevated due to the domain’s persistent activity and the use of a valid SSL certificate, which may deceive users into believing the site is trustworthy. Infrastructure analysis reveals the domain was registered on March 30, 2022, through the registrar NEWFOLD, a provider commonly associated with both legitimate and malicious registrations. It currently resolves to the IP address 162.241.63.71, which has been linked to other suspicious domains in recent months. The domain’s SSL certificate, issued by Let’s Encrypt, further legitimizes its appearance in browser address bars. As of the latest scan, 6 out of 95 security vendors on VirusTotal flag roanalacerda.com.br as malicious, with detections classified under generic phishing and credential theft categories. The low but consistent detection rate suggests the campaign remains active while evading broader automated detection. Users who have visited roanalacerda.com.br or entered credentials on the site should take immediate action to mitigate risk. First, change passwords for any accounts accessed or entered on the site, prioritizing email, financial, and work-related services. Enable multi-factor authentication where available, using app-based or hardware tokens rather than SMS. Monitor accounts for unauthorized activity, such as logins from unfamiliar locations or devices. If corporate credentials were exposed, notify the organization’s security team to initiate incident response protocols. Finally, consider scanning the device used to access the site for malware, as phishing pages may deploy additional payloads or redirect to exploit kits. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 73d9fc0752f2e21c80d010a62daaafe6 TLS cert SHA-256: f747e5b0f9ba61dcb5c74e49bb46de30aac95a149ce4bf446aaeb1176388745e ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/roanalacerda.com.br/ JSON API: https://api.destroy.tools/v1/check?domain=roanalacerda.com.br Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 176,538 domains (24,426 alive under monitoring, 152,084 confirmed takedowns/dead). Site: https://phishdestroy.io