0/100

critical Risk

mypost.wqgakw.cc

https://mypost.wqgakw.cc/au/services

172.67.154.169 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

0 days ⚠

HTTP

200 · 23.9s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Personal, Business, Enterprise & Government solutions - Australia Post"

Save

Registered-domain escalation

Submit wqgakw.cc as the primary IOC, enriched with evidence from hostile subdomains like mypost.wqgakw.cc.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (1)Apr 14, 2026, 03:47 AM UTC

auspost-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

Apple

Credential Phishing

ecommerce | government | technology · 4/15/2026

Summary

The page presents Australia Post branding and a navigation layout but is served from a suspicious, newly created domain (wqgakw.cc) under a Cloudflare-backed IP. The page title/labeled content references Australia Post, and assets include Australia Post imagery (e.g., photo-postie-driving--electric-vehicle-on-road.jpg) and fonts, yet the domain is not an official Australia Post domain. Off-domain submission/API endpoints observed (auspost.com.au/search.html) appear to reference legitimate AusPost resources but are shown within a host that is not under auspost.com.au, suggesting impersonation cloning. The combination of a new, off-brand domain, presence of external API calls, and visible Australia Post assets indicate a phishing impersonation attempt rather than a benign first-party page.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Off-domain submission or API endpoints observed: https://auspost.com.au/search.html.

▸Distinctive asset clues: index-b3c2e1c6.js, v8c78df7c7c0f484497ecbca7046644da1771523124516, clientlib.461882ed46c71f5c352893d4ac00f6a7.css, index-045a2098.css, photo-postie-driving-electric-vehicle-on-road.jpg.auspostimage.960_0.medium.jpg, ap-acknowledgement-logos.svg.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 39

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://auspost[.]com[.]au/search.html

Off-Domain Posts

hxxps://auspost[.]com[.]au/search.html

Attack Techniques (4)

Brand impersonation via visual cloning (Australia Post branding on a non-official domain).Off-domain resource interaction (assets and links referencing auspost.com.au) to enhance legitimacy while hosted elsewhere.SPA-like behavior with external script references to render branding and UI.Credential collection surface suspected due to login-related UI elements being present in the clone (observed late-render and credential signals though no explicit login form in static HTML).

Indicators of Compromise (6)

▸Page title equals 'Personal, Business, Enterprise & Government solutions - Australia Post' on a domain not owned by Australia Post.

▸Domain age 0 days; new domain: wqgakw.cc.

▸SSL certificate issued by Let's Encrypt to CN wqgakw.cc (off-brand).

▸Off-domain submission/API endpoints observed: https://auspost.com.au/search.html referenced within the page.

▸Assets and imagery associated with Australia Post (photo-postie-driving-electric-vehicle-on-road.jpg.auspostimage.960_0.medium.jpg) loaded from the suspicious host.

▸POST requests to /cdn-cgi/rum and /api with a token parameter indicating potential data exfiltration endpoints.

Risk AssessmentUsed in abuse reports

The site is a newly registered, off-brand domain hosting a page that imitates Australia Post branding and includes references to an official AusPost URL. The combination of impersonated branding, off-domain asset usage, and suspicious endpoints suggests an active attempt to deceive visitors and harvest credentials or other data. Recommend suspending the domain or blocking the URL and flagging for registrar/host review. The page content appears to be a clone designed to look legitimate, supported by the screenshot showing Australia Post visuals on a non-official domain. Monitor for further abuse or credential collection activity.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence