The variant we discovered was courtesy of a search engine ad, which appears on Google and Bing, when you type the ESTA web site addess into your address bar, using http instead of https.
Because you have not typed a valid address (https://esta.cbp.dhs.gov/esta/ works but http://esta.cbp.dhs.gov/esta/ does not) your browser will perform a search, and clearly these scammers have paid for ads using the valid site as the keywords. The first ad, took us to a site that could have obtained 4 visas for us, for the pricely sum of $236. A fair hike from the $64 quoted on the legitimate ESTA SITE.
Thankfully, due to the unexpectedly high cost, we decided to look a bit closer. That's when we noticed the subtle difference and i decided to do a little extra Googling. we quickly doscovered plenty of references to these scams and saved ourselves a couple of hundred dollars. There's a few pina colladas in hawaii.
The legitimate site you're after is https://esta.cbp.dhs.gov/esta