https://auth-permit-contract-web3-wallet-connect.emerentias-erben.com/
104.21.57.78 · Cloudflare, Inc.
Toronto, Canada
589 days
200 · 20.2s
Valid· WE1, Google Trust Services, US
COMPLETED
Registered-domain escalation
Submit emerentias-erben.com as the primary IOC, enriched with evidence from hostile subdomains like auth-permit-contract-web3-wallet-connect.emerentias-erben.com.
No KB/IOK detections were recorded for this scan.
technology · 7/19/2026
The page presents Google branding (title GOOGLE, Google logo in page visuals) on a non-official domain (auth-permit-contract-web3-wallet-connect.emerentias-erben.com) and redirects to www.google.com. DNS/WHOIS shows a domain age of ~589 days, but the SSL certificate is issued to emerentias-erben.com, not Google. The final URL resolves to google.com, yet the host and visible branding on the page indicate impersonation of Google. The page also contains hidden form inputs and a high number of external scripts, with multiple Google-origin endpoints observed in network traces, which is characteristic of credential-harvesting impersonation attempts delivered via a spoofed login surface or data capture UI loaded through a compromised or malicious host.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 1
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 48
Hosts: 7
Domains: 3
Suspicious Endpoints
hxxps://www[.]google[.]com/search
The evidence strongly suggests impersonation of Google on a non-official domain, with a final redirect to Google. The page title and branding mimic Google, which is a classic phishing tactic to harvest credentials or redirects, even though the final destination is legitimate. The presence of hidden inputs and numerous external scripts increases the risk of credential capture or data exfiltration. Given these signals, this is actionable abuse: phishing/impersonation attempting to harvest user data through a counterfeit Google surface hosted on a separate domain.
Monitor