The full anatomy of a phishing site,
one URL at a time.
ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.
Phishing detected
| URL | hxxps://www[.]feiraoaberto[.]sbs/inicio/index[.]html | |
| Host | www[.]feiraoaberto[.]sbs | |
| Registered domain | feiraoaberto[.]sbs | |
| Screenshot | https://cdn.zerophish.ai/600f9ead-1a84-4058-a0a6-deb5d07c4d5f.jpg | |
| Scan ID | 45647776-57a3-44cd-810b-b81c167c036b |
No brand impersonation signals available.
| Host | www.feiraoaberto.sbs |
| Registered domain | feiraoaberto.sbs |
| Scheme | https |
| Content length | 42960 B |
| HTTP | 200 · text/html |
| JARM | 0d30d30d30d30d3012012012012012befdd953ee9da060fd2ba1ff92bead2a |
| Redirect hops | 1 |
The page presents itself as a Brazilian “Programa Social” called “Libera Brasil,” claiming users can “regularize” outstanding debts for “menos de R$70.” It shows only a single CTA button labeled “VERIFICAR” and does not include any visible login, password, or payment/credential fields in the provided HTML.
Suspicious elements: the domain is a newly styled TLD (“.sbs”) and the URL path uses generic structure (e.g., /inicio/index.html) with no evidence of an official regulator/bank/brand domain. The messaging is a typical social-engineering lure using affordability/urgency framing (“less than R$70,” “independent of the total debt”), but there is no credential-collection form or explicit fake security warning in the supplied content.
Because there is no direct credential harvesting element shown and no identifiable impersonated brand, evidence is insufficient for a high-confidence phishing verdict; however, the non-mainstream domain and debt-regularization lure make it suspicious.
The domain www.feiraoaberto.sbs (IP: 104.131.39.184) hosts a multi-stage phishing operation impersonating a Brazilian government debt-relief program called “Libera Brasil — Programa Social.” The landing page at /inicio/index.html lures victims with a “VERIFICAR” (Verify) button that leads to /login/index.html, which collects CPF (Brazilian tax ID) numbers. The operation uses sophisticated tracking infrastructure: UTMify (tracking.utmify.com.br) for lead tracking with IP geolocation via ipify.org, and two Facebook Meta pixels (2205178190310661, 2196195541126469). Phishing assets are hosted on i.postimg.cc. The .sbs TLD, lack of .gov.br domain, broken accessibility (no proper links for Terms/Privacy), and out-of-place corporate text (“soluções para sua empresa”) all confirm this is not a legitimate government service. Credential exfil backend destination was not confirmed as submission was avoided per passive probing constraints.