Banco Ripley (Chile) phishing page detected

A phishing campaign targeting Banco Ripley in Chile uses smishing and email, directing users to a cloned website that mimics the official login portal to steal RUT numbers, passwords, and dynamic tokens. This Man-in-the-Middle (MitM) attack specifically aims to bypass security measures by harvesting real-time OTP codes to facilitate unauthorized transactions.

Threat Intel: This spoofed page was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the hostile origin link has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Banco Ripley (Chile) phishing page detected" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the live scam infrastructure captured during routine moderation.

A Banco Ripley (Chile) phishing campaign targets users via smishing and email, directing them to a cloned website to steal credentials, Tax IDs (RUT), and real-time security codes. Attackers use urgent, fraudulent “security update” alerts to hijack Multipass/Soft Token codes to authorize illicit transfers, utilizing lookalike domains like bancoripley-cl-seguridad.com.
Protect Yourself: Access Banco Ripley only via the official app or website, never click links in unexpected messages, and remember that banks never ask for full security codes to log in or update profiles.

Actual screenshot 2 of "Banco Ripley (Chile) phishing page detected" phishing interface captured during link moderation on our platform.
Figure 2: Actual screenshot of the live scam infrastructure captured during routine moderation.

The Banco Ripley case exemplifies a real-time proxy attack designed to bypass Multi-Factor Authentication (MFA) by hijacking dynamic tokens (MultiPass/Soft Token) in real time. Victims are tricked into providing authorization codes on a fake site, allowing attackers to immediately take over accounts or register new devices. Protect yourself by recognizing that banks never request these codes to “update data,” and always verify the URL strictly matches the bank’s domain.

Fake Snapchat password reset page in Arabic detected

A phishing campaign targeting Arabic-speaking Snapchat users in the MENA region uses fake password reset pages to steal credentials and bypass two-factor authentication (2FA). Attackers utilize high-fidelity clones of the Snapchat login portal and real-time credential relay tactics to hijack user sessions and private data.

Security Notice: This spoofed page was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "Fake Snapchat password reset page in Arabic detected" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the ongoing fraudulent campaign captured during routine moderation.

This case highlights a Real-Time Proxy Attack targeting Snapchat, where attackers use fake Arabic-language “Security Breach” notices to intercept user credentials and live 2FA codes, allowing immediate account takeover. The key security tip is the “Initiator” Rule: never enter a 2FA code on a page reached via a link; only provide codes on sites you accessed by manually typing the official URL.

Comcast Xfinity phishing page detected

A phishing campaign targeting Comcast Xfinity customers uses deceptive emails claiming billing failures to harvest login credentials, credit card details, and Social Security numbers. The attack leverages fraudulent links and high-fidelity clones of the official login page to steal comprehensive personal and financial data.

Incident Report: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "Comcast Xfinity phishing page detected" phishing interface captured during link moderation on our platform.
Figure 1: Visual proof of the ongoing fraudulent campaign isolated on our infrastructure.

This phishing method uses urgent, fake security alerts via email or SMS to trick users into visiting fraudulent websites, aiming to steal credentials and 2FA codes. Attackers frequently impersonate official services, creating a false sense of security risk to bypass critical thinking and harvest sensitive information. To avoid this scam, verify all requests directly through official apps or websites, and never click on unsolicited links.

Fake Saudi Post page in Arabic revealed

A phishing campaign targeting residents in Saudi Arabia impersonates Saudi Post (SPL) via SMS to steal personal information and credit card data through a fake “address correction” page. The attack uses realistic clones of the official SPL portal to harvest credentials and intercept one-time passwords (OTPs) for fraudulent transactions.

Threat Intel: This spoofed page was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the phishing source domain has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Fake Saudi Post page in Arabic revealed" phishing interface captured during link moderation on our platform.

These phishing cases highlight attackers’ use of urgent, fake alerts to steal credentials and financial data through compromised “password reset,” billing, and parcel delivery scenarios. Key protections include ignoring unexpected links, verifying URLs against official domains, and using app-based 2FA to prevent account takeovers.

Actual screenshot 2 of "Fake Saudi Post page in Arabic revealed" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the live scam infrastructure intercepted by our security systems.

Recent phishing campaigns are exploiting trusted brands through urgent, fake security or billing notifications designed to harvest account credentials and financial data. Attackers are using real-time interception of 2FA codes and small, fake “delivery fees” to bypass security and steal sensitive personal information, including SSNs and CVVs. Always verify alerts directly through official apps rather than links in SMS or email messages.

Fake Emirates Post pages detected

Threat Intel: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Fake Emirates Post pages detected" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the live scam infrastructure isolated on our infrastructure.

Threat Analysis: Emirates Post Phishing – Small Fee & Card Harvesting

How it works:
The victim receives an SMS, email, or messaging app alert claiming a package requires a small delivery fee or customs payment. The link leads to this page, which mimics the Emirates Post payment interface. The victim is asked to provide:

  • Cardholder name
  • Full card number
  • Expiration date (MM/YY)
  • CVV security code

Logos for Verified by Visa, MasterCard SecureCode, and PayPal are displayed to create a false sense of security. A small amount (AED 12.15) is shown to make the payment seem trivial.

The goal:
The attacker captures complete credit/debit card information (number, expiry, CVV) along with the cardholder’s name to make fraudulent purchases or sell the data.

Red flags to watch for:

  • Suspicious URL: The page is hosted on kaeru.happyspotclub.org, not emiratespost.com or any official Emirates Post domain.
  • Request for CVV: A legitimate postal service never asks for your card security code to collect a delivery fee.
  • Small fee trick: AED 12.15 is a trivial amount intended to lower suspicion.
  • No tracking or package reference: The victim cannot verify the supposed shipment.
  • Copied payment logos: The Visa, MasterCard, and PayPal badges are used to appear legitimate but do not guarantee safety.

What to do if you encounter this:

  • Do not enter any card or personal information.
  • If you are expecting a delivery, track it directly by typing emiratespost.com into your browser.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to Emirates Post Group and to the relevant authorities.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person, through the official app, or after logging into your account.
  • Check the URL carefully: Official Emirates Post domains end with emiratespost.com. Look for misspellings, extra words, or unusual top‑level domains.
  • Enable transaction alerts on your bank account.

Fake Carrefour page revealed

This phishing campaign against Carrefour uses a “reward survey” scheme to steal credit card data and register victims for hidden subscriptions, often promoted via social media. The multi-stage attack involves fake surveys and “lucky” games, designed to trick users into paying a small shipping fee, which is actually a pretext to capture sensitive banking information.

Incident Report: This malicious interface was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Fake Carrefour page revealed" phishing interface captured during link moderation on our platform.
Figure 1: Visual proof of the active phishing operation isolated on our infrastructure.

Screenshot 1 (Landing Page): Uses legitimate branding and fake social proof (comments) to establish credibility.

Actual screenshot 2 of "Fake Carrefour page revealed" phishing interface captured during link moderation on our platform.
Figure 2: Visual proof of the active phishing operation isolated on our infrastructure.

Screenshot 2 (Survey): Simple questions are used to boost engagement and reduce suspicion.

Actual screenshot 3 of "Fake Carrefour page revealed" phishing interface captured during link moderation on our platform.
Figure 3: Visual proof of the active phishing operation isolated on our infrastructure.

Screenshot 3 (Prize Game): A rigged box-opening game creates a false sense of winning to entice further action.

Actual screenshot 4 of "Fake Carrefour page revealed" phishing interface captured during link moderation on our platform.
Figure 4: Visual proof of the active phishing operation isolated on our infrastructure.

Screenshot 4 (Payment Form): Steals full credit card details (Number, Expiry, CVV) for fraudulent charges and subscriptions.

Protection Measures:
Verify the Domain: Official promotions only occur on the retailer’s official website.
Too Good to Be True: Large prizes for simple surveys are guaranteed scams.
Never Pay for Prizes: Legitimate companies do not charge fees to receive gifts.
Monitor Accounts: Check bank statements for fraudulent charges or unexpected subscriptions.

Microsoft phishing page in Spanish detected

Analysis Memo: This spoofed page was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Microsoft phishing page in Spanish detected" phishing interface captured during link moderation on our platform.
Figure 1: Verified screenshot of the ongoing fraudulent campaign captured during routine moderation.

This screenshot shows a Spanish‑language phishing page designed to steal email credentials (correo electrónico and contraseña). The page is minimal and generic, making it adaptable to impersonate various services (Microsoft, Google, a bank, or an email provider).

Threat Analysis: Generic “Inicio de seguridad” Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or message claiming a security alert, account suspension, or the need to verify their information. The link leads to this page, which asks for:

  • Email address
  • Password

The “Siguiente” (Next) button suggests a multi‑step flow, where the victim would be taken to another fake page (e.g., for two‑factor authentication or additional personal data).

The goal:
The attacker steals the victim’s email credentials to:

  • Access the email account (search for sensitive information, reset passwords for other services)
  • Send further phishing messages to the victim’s contacts
  • Use the credentials to compromise other accounts where the same password is reused

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like sc-445678-sss.c1.biz, which is not an official domain for any legitimate service (e.g., google.com, microsoft.com, outlook.com).
  • Generic design: The page has no logo, no company branding, and no personalized elements – a strong indicator of a broad phishing campaign.
  • “Inicio de seguridad” pretext: This vague “security start” phrase is meant to create a false sense of urgency but lacks the professionalism of a real security alert.
  • Unsolicited login request: No legitimate service sends links requiring users to log in to resolve “security” issues.

What to do if you encounter this:

  • Do not enter your email or password.
  • If you have already entered credentials, change your password immediately for that email account and for any other accounts using the same password. Enable two‑factor authentication (2FA) on your email account.
  • Always access your email or online services by typing the official URL directly into your browser.

Protective measures:

  • Never click links in unsolicited messages claiming security issues.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your email and other critical accounts.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.

IAA phishing page detected (Online car marketplace)

This screenshot shows a phishing page impersonating IAA (Insurance Auto Auctions) , a legitimate online vehicle auction platform. The page is designed to steal victims’ login credentials (email and password) used to access their IAA accounts.

Analysis Memo: This deceptive layout was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the hostile origin link has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "IAA phishing page detected (Online car marketplace)" phishing interface captured during link moderation on our platform.
Figure 1: Verified screenshot of the active phishing operation intercepted by our security systems.

Threat Analysis: IAA Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or message claiming an issue with their IAA account (e.g., a bid alert, payment problem, or account suspension). The link leads to this fake login page. The victim enters their email and password and clicks “Log In.” The credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal IAA account credentials to:

  • Access the victim’s auction account
  • View bidding history, payment information, and personal data
  • Place fraudulent bids or transfer vehicles
  • Use the same email/password combination to compromise other accounts (if the victim reuses credentials)

Red flags to watch for:

  • Suspicious URL: The page is hosted on videooprema.in.rs/iaai.com/ – this is not the official IAA domain. Legitimate IAA login pages are on iaai.com or regional subdomains (e.g., buy.iaai.com).
  • Generic design: The page is minimal and lacks the full branding, security notices, and personalized elements found on the real IAA login page.
  • No multi‑factor authentication prompt: IAA supports MFA; a genuine login page may prompt for a second factor after credentials – this page does not.
  • Unsolicited login request: IAA does not send links requiring users to log in to resolve account issues.

What to do if you encounter this:

  • Do not enter your email or password.
  • If you are an IAA customer, always access the site by typing iaai.com directly into your browser.
  • If you have already entered your credentials, change your IAA password immediately. If you use the same password elsewhere, change those accounts as well. Enable two‑factor authentication on your IAA account if available.
  • Report the phishing page to IAA’s security team.

Protective measures:

  • Bookmark the official IAA login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate domains.
  • Enable two‑factor authentication on your IAA account and email.
  • Be suspicious of any unsolicited message that asks you to log in.

DHL phishing page revealed

This screenshot shows a phishing page impersonating DHL, targeting users with a fake package delivery notification. The scam demands a small payment (1.99) to complete delivery and collects full card details, cardholder name, and an ID number (likely a national ID or passport).

Threat Intel: This deceptive layout was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the dangerous destination URL has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "DHL phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the live scam infrastructure intercepted by our security systems.

Threat Analysis: DHL Phishing – Fake “Delivery Confirmation” & Card Harvesting

How it works:
The victim receives an SMS or email claiming a package is in transit and requires a small payment to complete delivery. The link leads to this page, which mimics DHL tracking interface. It displays:

  • A fake tracking code
  • A fake status (“in delivering”)
  • A message urging payment within a limited time (14 days)

The victim is asked to provide:

  • Cardholder name
  • ID number (national identification)
  • Full credit card number
  • Expiration date (MM/YY)
  • CVV (CVC)

The goal:
The attacker captures:

  • Full credit/debit card details (number, expiry, CVV)
  • Cardholder name and ID number – which can be used for identity theft or to answer security questions
  • The small payment request (1.99) is intended to lower suspicion

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not dhl.com or an official DHL domain.
  • Request for CVV and ID number: DHL never asks for your card security code or national ID to confirm a delivery.
  • Small fee trick: 1.99 is a trivial amount meant to make the payment seem insignificant.
  • Fake tracking code: The tracking code cannot be verified on the real DHL website.
  • Poor English / formatting: The page contains grammatical inconsistencies that would not appear on an official DHL page.

What to do if you encounter this:

  • Do not enter any personal, ID, or card information.
  • If you are expecting a DHL shipment, track it directly by typing dhl.com into your browser.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to DHL’s fraud team.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person or through the official site after logging in.
  • Check the URL carefully: Official DHL domains end with dhl.com or country-specific variants like dhl.de.
  • Enable transaction alerts on your bank account.

Twitter fake login page detected

This screenshot shows a phishing page impersonating Twitter (now X) , designed to steal login credentials (email/phone/username and password). The page is hosted on a suspicious domain unrelated to Twitter.

Threat Intel: This malicious interface was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Twitter fake login page detected" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the active phishing operation intercepted by our security systems.

Threat Analysis: Twitter Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or direct message claiming a security alert, account suspension, or unusual login activity. The link leads to this fake Twitter login page. The victim enters their phone, email, or username and password, then clicks “Login.” The credentials are captured and sent to the attacker.

The goal:
The attacker steals Twitter account credentials to:

  • Access private messages and personal information
  • Post spam or malicious links from a trusted account
  • Spread the phishing attack to the victim’s followers
  • Use the same email/password combination to compromise other accounts (if credentials are reused)

Red flags to watch for:

  • Suspicious URL: The page is hosted on obgyn.click, not twitter.com or x.com. Legitimate Twitter login pages are only on official domains.
  • Generic design: The page mimics Twitter’s interface but lacks the full security indicators (e.g., proper SSL certificate, official footer links).
  • Unsolicited login request: Twitter does not send links requiring users to log in to resolve account issues.
  • No two‑factor authentication prompt: A real login page may ask for a second factor after credentials; this page does not.

What to do if you encounter this:

  • Do not enter your login credentials.
  • If you have already entered them, change your Twitter password immediately and enable two‑factor authentication (2FA). Also change any other accounts that use the same password.
  • Always access Twitter by typing twitter.com or x.com directly into your browser.

Protective measures:

  • Bookmark the official Twitter login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Twitter account (using an authenticator app or security key, not SMS).
  • Be suspicious of any unsolicited message that asks you to log in.