I Found a Phishing Website

I found a phishing website that was actively stealing people's bank card details — without a single button press.

MVM Next is Hungary's largest energy provider, supplying electricity and gas to millions of households across the country — essentially the equivalent of a national utility giant.

I received an SMS telling me to pay my MVM bill. I've seen these before. Usually I just delete them, but this time I was curious how professional the trap was and how they were trying to deceive people.

SMS from the scammers. ("MVM Next message: Electricity bill overdue. Please pay by March 7 here: [link]. In case of non-payment, the service may be suspended.")

I never click suspicious links from a live environment. I used an isolated, protected setup with no connection to my personal data and a different IP address. This lets me safely look behind the scenes.

The site looked exactly like the real MVM payment interface. Same logo, same colors, and it even had a valid SSL certificate (the padlock icon). This is important to know: the padlock no longer means the site is trustworthy — it only means the connection between you and the scammers is encrypted.

The phishing site's appearance. (A form waiting for bank card details.)

Scammers often churn these sites out on an assembly line, full of mistakes. But look under the hood, and the scary details start to show. In the browser's developer console, I spotted a continuously running script. This code didn't even wait for you to click "Send". The moment you started typing your card number, it was already sending your data to the scammers — character by character, in real time. By the time you changed your mind before hitting the payment button, it was already too late.

There was also a second script running alongside it, filtering visitors by IP address: security researchers or Google's crawlers were immediately redirected to an error page to avoid detection.

Continuously running script.

I didn't click anything. I quickly looked into the technical background and queried the domain and server details. Then I started filing reports — I sent the details to well over half a dozen places: emails to providers, official abuse report forms, and of course MVM's dedicated address. For this I used a Proton email, which contains no personal information whatsoever.

Tip: when reporting abuse, keep in mind that some providers may forward the complaint details (such as the reporter's email address or email headers) to the domain/host operator. If the site is tied to a malicious actor, this could be a risk — so it's worth sending only the suspicious URL and a brief description, or using an alias or temporary email address.

By the next day, the site had ceased to exist.

The site ceased to exist.

I'm writing this because those of us who understand IT have a responsibility to speak up. But you don't need to be a developer to protect yourself.

Here are 3 things anyone can do when they receive a suspicious message:

1. Use AI: If you get a strange SMS or email, paste the text into ChatGPT or Gemini with this prompt: "I received this message. Please analyze what the warning signs are that suggest phishing." AI will break it down for you in seconds if it's a scam.
2. Check the link without clicking it: Copy the link (without opening it) and paste it into virustotal.com. It's a free tool that checks the link against dozens of antivirus and security databases and flags anything malicious.
3. Report it (it's simple): If you use Google Chrome, you can report phishing links in three clicks at safebrowsing.google.com/safebrowsing/report_phish. You can also do the same at Hungary's National Cybersecurity Institute at nki.gov.hu.

If you see something like this: don't just scroll past, and don't just delete it. Act, report it, or at least share the information with the people around you. That's how we pull the ground out from under scammers — faster.