Victim receives outreach (SMS, DM, email) with a link to this attacker-controlled page. The visible story is a resale marketplace payout; the embedded iframe is real Connect (signup + KYC). Live campaigns have impersonated household marketplace brands — this mock uses a fictional name only.
Referrer: This page uses referrerpolicy="no-referrer" on the iframe (and
<meta name="referrer" content="no-referrer">), so the
initial document request to Connect should omit the parent page URL. Fetches inside Connect still
send Connect as Referer (same as a normal top-level visit).