https://www.google.com/url?q=https://auth-permit-contract-web3-wallet-connect.emerentias-erben.com&source=gmail&ust=1782911503951000&usg=AOvVaw1kQVihwhxvxkU5tWMuqWYV&gad_source=1&gad_campaignid=23920228285&gbraid=0AAAAADFCH6PGlAPUfZskdMNe6LTwzx16G&gclid=EAIaIQobChMI-_m9jJyvlQMVTyzUAR1wzh1vEAAYASAAEgJ36vD_BwE
142.251.154.119 · Google LLC
Mountain View, United States
10515 days
200 · 41.7s
Valid· WR2, Google Trust Services, US
COMPLETED
Domain Intelligence: google.com
Scanned 5 times since Feb 14, 2026, 10:58 AM UTC
Registered-domain escalation
Submit google.com as the primary IOC, enriched with evidence from hostile subdomains like www.google.com.
No KB/IOK detections were recorded for this scan.
technology | finance | ecommerce | other · 7/19/2026
The page visually imitates Google’s homepage, including the Google logo and search UI, but the final URL and redirect chain point to an off-brand domain lineage (auth-permit-contract-web3-wallet-connect.emerentias-erben.com) that is not Google's official domain. The page content in the screenshot matches Google branding, yet the navigating URL and redirect chain suggest potential impersonation/cloaking. There is evidence of unusual external resource loading and a redirect path that could be used for credential harvesting, but no direct credential form submitted to a Google domain is observed in the static HTML capture. Given the mismatch between branding and domain origin, impersonation is suspected, though conclusive credential capture behavior is not definitively demonstrated in the captured data.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 1
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 55
Hosts: 7
Domains: 3
Suspicious Endpoints
hxxps://www[.]google[.]com/search
The screenshot shows Google branding on a page hosted at a non-Google domain, with redirects through Google URLs to an off-brand domain. This strongly suggests an impersonation attempt or phishing setup designed to harvest credentials or mislead victims. The presence of hidden form inputs and extensive external script loading increases risk, as these patterns are often used in credential-phishing or data-exfiltration setups. Recommend heightened scrutiny and takedown actions as appropriate for impersonation, and consider additional blocking of the off-brand host if abuse is confirmed.
Block URL