Prof Paradox
Published on

Cyber Threat Investigation Report: Fake Government Portal dlimss.com.pk

Authors

Cyber Threat Investigation Report

Fake Government Portal: dlimss.com.pk Impersonating: Punjab Government's DLIMS (dlims.punjab.gov.pk)

Investigated byMuhammad Usman
DateMarch 27, 2026
TypePassive OSINT

Executive Summary

A malicious website operating at dlimss.com.pk has been discovered impersonating the official Punjab Government Driving License Information Management System (DLIMS), hosted at dlims.punjab.gov.pk.

The fake site was registered on January 29, 2026 — notably after TechJuice's December 2025 exposé of similar DLIMS clones — indicating the threat actors actively evaded previous takedowns by registering fresh domains. The site collects CNICs, license numbers, full names, gender, and age from unsuspecting Pakistani citizens under the guise of license verification and e-license generation.

1. Domain & Infrastructure Analysis

1.1 WHOIS Comparison: Fake vs Real

PropertyREAL — dlims.punjab.gov.pkFAKE — dlimss.com.pk
Domaindlims.punjab.gov.pkdlimss.com.pk (extra 's' — typosquatting)
TLD.gov.pk (Government only).com.pk — Anyone can register
RegisteredLong-established (2000s)January 29, 2026 (2 months old!)
ExpiryGovernment-managedJanuary 29, 2028
RegistrarPKNIC / Punjab IT BoardPKNIC (anonymous registrant)
Name ServersPunjab Gov infrastructuredamian.ns.cloudflare.com / hadlee.ns.cloudflare.com
IP AddressesDedicated Gov IPs172.67.128.214 / 104.21.2.63 (Cloudflare proxy)
HostingPunjab Gov data centerCloudflare (anonymous, cheap hosting)
BrandingDLIMS + Dastak logosCopies DLIMS + Dastak logos (UI cloned)

1.2 nslookup Results (Attacker's Infrastructure)

Running nslookup dlimss.com.pk returns:

  • IP 1: 172.67.128.214 — Cloudflare Anycast IP (IPv4)
  • IP 2: 104.21.2.63 — Cloudflare Anycast IP (IPv4)
  • IP 3: 2606:4700:3032::6815:023f — Cloudflare IPv6
  • IP 4: 2606:4700:3036::ac43:80d6 — Cloudflare IPv6

Cloudflare is being used as a reverse proxy — this hides the true origin server IP, making attribution much harder. This is a deliberate operational security (OPSEC) choice by the threat actors. Legitimate .gov.pk government portals do NOT use Cloudflare.

1.3 Timeline: Why January 2026 Registration is Critical

DateEvent
Dec 2025TechJuice publishes major exposé of fake DLIMS clones on TikTok (Netlify-hosted)
Dec 2025FIA and NCCIA warn public about DLIMS phishing sites
Jan 29, 2026dlimss.com.pk is registered — NEW site launched after crackdown
Jan 30–31, 2026Site populates with content (license track, e-license, apply pages)
Mar 2026Site still LIVE and actively collecting user data

This timeline confirms these are not naive amateurs — the operators are aware of takedowns and proactively register new infrastructure. dlimss.com.pk is a 2nd-generation clone.

2. Attack Methodology

2.1 Data Harvesting Forms Identified

Page / URLData CollectedStated Purpose
/verify-licenseCNIC (13-digit), License Number"Verify your license"
/license-trackCNIC (13-digit)"Track your application"
/e-licenseCNIC, License Number"Generate e-license"
/applyFull Name, CNIC, Gender, Age, Captcha"Apply for license"
/learner-licenseFull Name, CNIC, Gender, Age, Captcha"Apply for learner permit"
/renewFull Name, CNIC, Gender, Age, Captcha"Renew your license"

2.2 The "Verification Result" Trick

When ANY CNIC is entered on the verification page, the site always returns:

"Your information is available in the government database. To view official details, please continue to the official portal."

This is a static, hardcoded response. It does NOT actually query any government database. Every single CNIC — even fake/random ones — returns the same positive result.

The 4-Step Attack Chain:

  1. Step 1: Make the user feel their CNIC has been 'verified', building false trust
  2. Step 2: Convince them to proceed further and enter more sensitive data
  3. Step 3: Log/harvest the CNIC entered in the backend database
  4. Step 4: Monetize collected CNIC data by selling it

2.3 SEO Poisoning (How Victims Find This Site)

The site is aggressively optimized for Google search results using exact government keywords. Searches for DLIMS Punjab license check, DLIMS e-license, driving license CNIC check Pakistan can return dlimss.com.pk near the top — above legitimate awareness articles.

  • Tactic 1: Site content uses exact official language: "Powered by Dastak"
  • Tactic 2: Pages target keywords: dlims.com.pk, dlims punjab, driving license check cnic 2026
  • Tactic 3: Content is dated January–February 2026, crawled quickly by Google
  • Ecosystem: Similar sites (dlims.com.pk, dlims.org, dlims.net) also exist — a whole ecosystem of fakes

3. Broader Fake DLIMS Ecosystem

DomainStatusNotes
dlims.punjab.gov.pk✅ OFFICIALOnly legitimate DLIMS portal
dlimss.com.pk❌ FAKE (This Report)Registered Jan 2026, actively harvesting CNICs
dlims.com.pk⚠️ SUSPICIOUSClaims to be "Pakistan's most trusted" — not .gov.pk
dlims.net⚠️ SUSPICIOUSAnother unofficial DLIMS clone
dlimspunjab.pk⚠️ UNVERIFIEDNot on official .gov.pk, unofficial copy
Netlify-hosted clones❌ FAKE (Dec 2025)Exposed by TechJuice — anonymous, no-code hosted

4. Risk Assessment

RiskSeverityHow CNIC Data Enables It
SIM Fraud🔴 CRITICALCNIC used to register unauthorized SIMs, enables OTP interception
Identity Theft🔴 CRITICALCNIC + name used to take loans, open accounts fraudulently
Bank Account Takeover🔴 CRITICALSIM fraud leads to 2FA bypass on banking apps
Phishing / Vishing🟠 HIGHCaller uses victim's CNIC details to appear legitimate
Data Resale🟠 HIGHCNIC databases sold on dark web / Russian forums
Credential Stuffing🟠 HIGHCNIC used as username on IRIS, NADRA, banking portals
Legal Impersonation🟠 HIGHCriminal activities committed in victim's name

5. Recommended Actions

5.1 For Authorities — Report To

AuthorityContact
FIA Cyber Crime Wing (NCCIA)complaint.nccia.gov.pk | Helpline: 1799
PTAcomplaint.pta.gov.pk | Helpline: 0800-55055
PITBinfo@pitb.gov.pk (responsible for DLIMS oversight)
PKNICpknic.net.pk — request domain suspension
Cloudflareabuse.cloudflare.com — report phishing site
Googlesafebrowsing.google.com/safebrowsing/report_phish — delist from search

5.2 For Citizens Who Entered Their CNIC

  1. Send your CNIC number to 668 immediately — check for unauthorized SIM registrations
  2. If unauthorized SIMs found, visit operator franchise with original CNIC for biometric disowning
  3. Monitor your bank accounts and JazzCash/EasyPaisa for suspicious activity
  4. Consider blocking your CNIC temporarily via NADRA if identity theft is suspected
  5. Report to NCCIA or FIA Cyber Crime: complaint.fia.gov.pk or complaint.nccia.gov.pk or call 1799

5.3 How to Verify the Real DLIMS

  • Official Portal: https://dlims.punjab.gov.pk — ONLY trust .gov.pk domains
  • Official Mobile Apps: Punjab Police app, Rasta app, Dastak app
  • Payment Warning: Government portals NEVER ask for payments to JazzCash personal accounts
  • Tech Warning: Government portals do NOT use Cloudflare or register on .com.pk domains

Annexures

Annexure A — nslookup Output

Terminal output showing nslookup results for dlimss.com.pk, revealing Cloudflare IPs (172.67.128.214 / 104.21.2.63) instead of dedicated government infrastructure. Nslookup output

Annexure B — WHOIS Registration Data

WHOIS query output confirming dlimss.com.pk was registered on January 29, 2026 via PKNIC, with Cloudflare nameservers, no registrant identity disclosed. WHOIS output

Annexure C — crt.sh Certificate Transparency Logs

Certificate Transparency logs from crt.sh showing SSL certificate issuance history for dlimss.com.pk, confirming recent domain activity. crt.sh output

Annexure D — Fake Website Homepage

dlimss.com.pk homepage cloning official DLIMS branding, Dastak logo, and Punjab Government visuals to deceive users. Fake website homepage

Annexure E — Fake Website Homepage (Additional View)

Secondary view of dlimss.com.pk showing service menu — license apply, renew, verify, e-license — all data harvesting forms. Fake website homepage additional view

Annexure F — Fake License Application & Popup

Demonstration using fake/test data on dlimss.com.pk showing the hardcoded "Your information is available in the government database" popup, triggered regardless of input validity. Fake license application popup

Annexure G — Official Punjab Government DLIMS Portal

Official portal dlims.punjab.gov.pk shown for comparison — hosted on .gov.pk domain, no Cloudflare proxy, legitimate government infrastructure. Official Punjab Government DLIMS Portal

Disclaimer: This investigation was conducted using passive OSINT techniques only. No unauthorized access was performed. All findings are based on publicly available information. Report prepared for responsible disclosure and public awareness purposes.

Discuss on TwitterView on GitHub