# PhishDestroy threat dossier — aktiffkan-paylaterz.jqxc.my.id ================================================================ Fetched: 2026-07-16 08:46:42 UTC Canonical: https://phishdestroy.io/domain/aktiffkan-paylaterz.jqxc.my.id/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 13/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, Fortinet, G-Data, Kaspersky, LevelBlue, Lionic, OpenPhish, SOCRadar, Sophos, Webroot URLQuery: -1 detections Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 104.21.45.185 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: Cloudflare, Inc. Registrar: REGISTRAR_NOT_FOUND Nameservers: NS_NOT_FOUND Page title: Costumer Care HTTP response: 502 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YE1 Expires: 2026-09-07 Status: INVALID chain Fingerprint: dd8dfc7e4a2bcf83324ffc6e6dbba4c2a1f9587e303b01b0fd5685d2fea40dce Subject Alternative Names (related infrastructure — often same operator): - jqxc.my.id ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-05 02:20:27 UTC (by PhishDestroy tracker) Last verified: 2026-07-16 08:20:41 UTC Neutralised: 2026-07-06 00:02:02 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f2fa5-0bec-72df-b9d7-9eb1d2dc7f94/ Wayback Machine: https://web.archive.org/web/*/aktiffkan-paylaterz.jqxc.my.id crt.sh CT logs: https://crt.sh/?q=%25.aktiffkan-paylaterz.jqxc.my.id Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=aktiffkan-paylaterz.jqxc.my.id AlienVault OTX: https://otx.alienvault.com/indicator/domain/aktiffkan-paylaterz.jqxc.my.id URLhaus: https://urlhaus.abuse.ch/host/aktiffkan-paylaterz.jqxc.my.id/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-05 02:55:20 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, aktiffkan-paylaterz.jqxc.my.id, is flagged as a high-risk credential theft operation designed to harvest user account credentials through fraudulent customer support pages. Analysis indicates the site impersonates legitimate service portals, leveraging social engineering tactics to deceive victims into submitting sensitive login details. The page title, 'Costumer Care,' further supports the assessment of credential theft as the primary threat type, rather than generic phishing or financial fraud. Infrastructure analysis reveals the following technical indicators: the domain is detected by 13 out of 95 security vendors on VirusTotal, resolving to the IP address 104.21.45.185. The site employs multiple front-end technologies, including Bootstrap, Slick, jsDelivr, jQuery, cdnjs, and Cloudflare services (Browser Insights and standard CDN). The SSL certificate is issued by Let's Encrypt, a common choice for both legitimate and malicious sites. No registrar or creation date details were provided in the initial data, but the domain remains active and unblocked by most security platforms, suggesting limited widespread detection at this stage. To mitigate risks associated with credential theft, organizations and individuals should implement the following measures: block the domain aktiffkan-paylaterz.jqxc.my.id and its resolving IP 104.21.45.185 at the network perimeter. Deploy endpoint protection rules to flag or quarantine any connections to this infrastructure. Educate users on recognizing fraudulent support pages, particularly those with misspelled titles (e.g., 'Costumer' instead of 'Customer') or suspicious subdomains. Monitor for unauthorized access attempts following potential credential exposure. If credentials were entered on this site, immediate password resets and multi-factor authentication enforcement are critical to prevent account compromise. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 2979b60c38fa37d693fe472a449a7860 TLS cert SHA-256: dd8dfc7e4a2bcf83324ffc6e6dbba4c2a1f9587e303b01b0fd5685d2fea40dce ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/aktiffkan-paylaterz.jqxc.my.id/ JSON API: https://api.destroy.tools/v1/check?domain=aktiffkan-paylaterz.jqxc.my.id Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,271 domains (50,785 alive under monitoring, 128,486 confirmed takedowns/dead). Site: https://phishdestroy.io