ProtectivProtectiv
← Back to blog
Product··Protectiv Team

Introducing the eGovPH Phishing Tracker

Today we're publishing the eGovPH Phishing Tracker. It's a free, public list of domains we've confirmed are impersonating eGovPH, drawn directly from the monitoring pipeline we've been running against Philippine phishing campaigns.

Why we're publishing this

Impersonation of Philippine government identity services is one of the most effective attacks being run against Filipino users right now, and PhilSys and eGovPH are among the most abused brands in the space. In our own case work the pattern is consistent: a convincing government pretext, a live conversation that keeps the victim under pressure, and a lookalike domain sitting in the middle of the chain to give the whole setup enough legitimacy that the victim doesn't back out.

We've been sitting on this data internally for a while. The longer we looked at it, the clearer it was that the single most useful thing we could hand to the public was the list of domains itself: early, verified, and free to check.

What we're seeing

These aren't drive-by phishing campaigns where a victim randomly taps a suspicious link. They're carefully walked attacks, and in our own case work they tend to play out in four stages.

  1. The approach. The attacker contacts the victim claiming to represent PhilSys and cites something about the victim's national ID as the reason. The pretext is built to sound administrative and unignorable: a problem with the registration, a verification that has to be completed, a step needed to claim or activate something. The specifics shift, the framing does not.
  2. The call. The conversation is moved to a live channel as quickly as possible, usually a phone call or a scheduled video meeting. This is the step that does the real work. Once the victim is on a call with someone who sounds official and patient, the attacker can steer every subsequent action in real time and keep social pressure applied while they do it.
  3. The walked install. On the call, the attacker directs the victim to one of the impersonator domains we track and talks them through downloading and installing an Android app hosted on it. The script is tuned to every security prompt the OS will raise: why Google Play Protect needs to be turned off for this "official" app, why installing from outside the Play Store is expected in this case, why the permissions being requested are normal. Users who would never disable these protections on their own do it because someone on the phone framed each step as a necessary part of a legitimate process.
  4. The aftermath. Once the app is on the device, the compromise is total. Funds move out of bank and e-wallet accounts. Loans are taken out in the victim's name on consumer lending platforms. By the time the victim understands what has happened, the attacker has been operating from inside the device for hours and the downstream financial damage has already been booked.

The role of the domain in all of this is specific. It exists so that a cautious victim who decides to "check the site first" during the call finds something that looks official enough to continue. Flagging that domain early, in a place the victim or a family member can verify against, breaks the chain before the install happens. That is what this tracker is for.

What's on the tracker

  • Recently observed impersonator domains, most recent first.
  • A detail page for each domain with the context we've gathered on it.
  • The full list of every domain we've confirmed, alongside stats and an infrastructure breakdown (hosting, registrar, TLD, shared infrastructure) on the tracker page itself.

Every domain on the list has been independently verified by us as impersonating eGovPH. Nothing lands on the public list on suspicion alone.

Detected, not reported

The tracker is not crowd-sourced and we are not accepting public submissions. The list is the output of an automated monitoring pipeline we run around the clock that continuously scans the internet for newly-appearing domains built to look like eGovPH.

When a threat actor stands up a new lookalike, our pipeline picks it up and scores the hostname against a set of impersonation signals: character-swap and typosquat patterns, eGov-themed subdomains, suspicious registrars and ASNs, and operator fingerprints we've seen in prior campaigns. The strongest matches are queued for deeper inspection: we fetch the site, render it, and fingerprint its behaviour to rule out unrelated collisions. Only after that does a domain land on the public list.

The practical effect is that most entries reach the tracker within minutes of the attacker flipping the site on, often before the first victim is sent the link.

Who we built this for

  • Citizens who've just been contacted by someone claiming to represent PhilSys or eGovPH and want to verify the domain they're being pointed to before anything else happens on the call.
  • Journalists investigating an active scam and looking for corroborating evidence.
  • Registrars and hosting providers triaging abuse reports against a domain on their platform.
  • Law enforcement and government CERTs trying to see the shape of an active campaign.

How to use it

Open egov-tracker.protectiv.ph and scan the list for the domain you've been pointed to. Click any row to open its detail page. If the domain is on the list, end the call and do not download or install anything the caller sent. If you've already installed an app from one of these sites, treat the device as fully compromised: put it into airplane mode, contact your bank and every lending or e-wallet app tied to the device to freeze activity and flag unauthorised transactions, and factory reset the device before signing back into anything sensitive.

Where this fits for us

Protectiv is a Philippine cybersecurity company. Our job is to protect Filipino families and businesses from online threats, and we don't think that job ends at our paying customers. Impersonation of a service millions of Filipinos rely on is a public problem, and this tracker is one of the more useful things we can put on the public internet about it.

It's a sibling to OSINT.ph, our investigation query engine for law enforcement. OSINT.ph is for the people working cases; the tracker is for everyone else, the people trying not to become one.
Press and partner enquiries: hello@protectiv.ph.
announcementphishingegovphthreat-intelligenceosint