# securebooking.com.ngrok.dev — MALICIOUS

> This Let's Encrypt-backed domain (securebooking.com.ngrok.dev) is a live credential phishing site that already fools 13/95 VirusTotal engines.

## Summary
PhishDestroy identifies securebooking.com.ngrok.dev as an active credential-phishing domain currently hosting a fake booking portal designed to harvest user login details. The page mimics a legitimate travel-booking interface but exfiltrates credentials to a backend controlled by threat actors. No specific brand or drainer kit has been linked publicly yet, but the lure clearly abuses the trusted ngrok.dev subdomain to bypass corporate allow-lists.

Technical indicators place this domain on elevated alert: VirusTotal detections currently stand at 13 out of 95 security vendors, the domain resolves to IPv4 address 3.64.155.7, and it holds a valid Let’s Encrypt SSL certificate. Creation date and registrar details remain obscured by the ngrok.dev privacy proxy, but Google Safe Browsing (GSB) has already flagged the domain. Evidence shows it also appears on at least one public blocklist.

As of the latest scan, securebooking.com.ngrok.dev remains active; hosts continue serving the credential-harvesting page. Immediate mitigation includes blocking the domain at DNS and network layers, revoking any entered credentials, and flagging the ngrok ASN ranges to prevent follow-on abuse. Residual risk remains elevated while the page stays live and the underlying IP retains open egress to C2 endpoints.

## Threat Details
- Verdict: MALICIOUS
- Site status: unknown (HTTP ?)

## Domain Intelligence
- Registrar: REGISTRAR_NOT_FOUND
- IP: 3.64.155.7

## Detection Status
- VirusTotal: 13 vendors flagged
- Google Safe Browsing: clean
- Blocklists: 0 hits

## Evidence
- Cloudflare Radar: https://radar.cloudflare.com/scan/94b8fa01-497f-4fc5-9eb2-5ceb6507ed7d
- PhishDestroy: https://phishdestroy.io/domain/securebooking.com.ngrok.dev/
- LLM endpoint: https://phishdestroy.io/domain/securebooking.com.ngrok.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/securebooking.com.ngrok.dev/
Last updated: 2026-03-21