Is ce.ec49.fr safe?

hidden instruction

high hidden content ratio detected in DOM

phishing

The page hosted at ce.ec49.fr (a French subdomain) is a pixel-perfect clone of the Google Accounts sign-in page (accounts.google.com). The HTML uses <base href="https://accounts.google.com/v3/signin/"> to make all relative resources appear to load from Google, while the actual page is served from the unrelated domain ce.ec49.fr. The visible text 'Sign in Use your Google Account Email or phone' combined with a fully replicated Google sign-in form UI is a classic credential-harvesting phishing kit. (location: page.html:1 — <base href="https://accounts.google.com/v3/signin/"> and full page structure)

brand impersonation

The page comprehensively impersonates Google's brand: it replicates Google's sign-in UI, loads Google's CSS/JS assets via gstatic.com, uses Google's color scheme (#0b57d0, Google Sans fonts), Google logo assets, and Google footer links (Help, Privacy, Terms). The <base> tag redirect causes all assets to appear to originate from accounts.google.com while the actual serving domain is ce.ec49.fr. (location: page.html:1 — <base href>, CSS references to gstatic.com, Google branding throughout)

credential harvesting

The page renders a fully functional 'Email or phone' input field and 'Next' button mimicking Google sign-in. A PassiveLoginProber mechanism (Db class) polls for APISID cookie and fires XHR to /PassiveLoginProber, which can silently detect and exfiltrate existing Google session cookies. The form submission flow is designed to capture entered credentials on the attacker-controlled domain ce.ec49.fr. (location: page.html:90-92 — Db/Cb functions implementing PassiveLoginProber cookie polling)

malicious redirect

The brin-context reports 3 redirects occurred before landing on this page. The final page uses <base href> to rewrite all navigation to accounts.google.com, meaning any link clicks (e.g., 'Create account', 'Forgot email?', 'Learn more about using Guest mode') redirect to legitimate Google URLs to maintain the illusion of legitimacy while credentials are captured. The 'Create account' link targets sites.google.com/ec49.fr/calepin-du-ce, confirming the attacker controls the ec49.fr domain. (location: page.html:93 — href='/lifecycle/flows/signup?continue=https://sites.google.com/ec49.fr/calepin-du-ce')

hidden content

The brin-context reports a hidden content ratio of 1.00 (maximum), meaning essentially all page content is hidden from plain text extraction. The page renders visually as a Google sign-in page but the actual HTML content is almost entirely CSS-styled/scripted content with no meaningful plain-text body, consistent with a phishing kit designed to evade text-based scanners. (location: .brin-context.md — Hidden content ratio: 1.00)

obfuscated code

The page contains heavily obfuscated JavaScript using control-flow flattening with state machine patterns (while(k!=71) style dispatch loops with numeric state variables), bitwise operations, and single-character variable names throughout. This is beyond standard minification — the code structure (e.g., the L and t functions at page.html:18) uses deliberate obfuscation to obscure the credential-stealing logic and iframe-based bot detection bypass mechanisms. (location: page.html:18 — L=function(x,l,p,A,h,g,y,Y,Z,n,R,k,J,S) with state machine dispatch; t=function with iframe manipulation)

social engineering

The page employs multiple social engineering techniques characteristic of Google phishing: (1) 'Not your computer? Use a private browsing window to sign in' — a trust-building message copied from real Google; (2) 'Learn more about using Guest mode' link to legitimate Google support pages; (3) Google's actual language selector with 70+ languages to appear fully legitimate; (4) TLS DV certificate from Google Trust Services (WR3) that users may associate with Google legitimacy. (location: page.html:93 — 'Not your computer?' section; metadata.json — TLS issuer: Google Trust Services)