# PhishDestroy threat dossier — americanmovingco.org ================================================================ Fetched: 2026-07-13 04:40:00 UTC Canonical: https://phishdestroy.io/domain/americanmovingco.org/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Credential Phishing Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 14/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Netcraft, SOCRadar, Webroot AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 192.185.31.183 (US, Ashburn) ASN: AS31898 Oracle Corporation Hosting org: Oracle Corporation Registrar: NAMECHEAP INC Nameservers: ns293.websitewelcome.com, ns294.websitewelcome.com Registered: 2026-03-02 Expires: 2027-03-02 Page title: Not Acceptable! HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / YR2 Expires: 2026-10-02 Status: INVALID chain Fingerprint: 8eee813f159c46fc7c39d89b7851830dc4e74d5374b600b43bef74afb2b2e1f2 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-03-02 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-07 14:22:15 UTC (by PhishDestroy tracker) Last verified: 2026-07-13 04:20:41 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3c86-3b5f-74e3-96c5-e0d8d49702de/ URLQuery: https://urlquery.net/report/841fe090-6790-46c3-b2af-0a67dfe69648 Wayback Machine: https://web.archive.org/web/*/americanmovingco.org crt.sh CT logs: https://crt.sh/?q=%25.americanmovingco.org Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=americanmovingco.org AlienVault OTX: https://otx.alienvault.com/indicator/domain/americanmovingco.org URLhaus: https://urlhaus.abuse.ch/host/americanmovingco.org/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-07 14:24:56 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged for elevated-risk credential harvesting phishing activity targeting individuals seeking relocation services. Analysis indicates americanmovingco.org is designed to impersonate legitimate moving companies, tricking users into submitting sensitive login credentials, financial details, or personal information through fraudulent web forms. Infrastructure analysis reveals multiple high-confidence threat indicators. The domain was registered on March 02, 2026, through NAMECHEAP INC, a registrar frequently associated with malicious registrations. It resolves to the IP address 192.185.31.183, which has been linked to prior phishing campaigns. Security vendors on VirusTotal flag the domain at a 9/95 detection rate, indicating near-universal consensus on its malicious nature. The domain appears on one security blocklist, and its SSL certificate, issued by Let's Encrypt, is commonly exploited by threat actors to lend false legitimacy to phishing sites. The creation date, well in advance of typical legitimate business registrations, further suggests premeditated malicious intent. To mitigate risks associated with credential harvesting phishing, organizations and individuals should immediately block access to americanmovingco.org at the network level. Security teams should deploy indicators of compromise (IOCs) including the domain, IP 192.185.31.183, and associated SSL certificate thumbprints into endpoint detection and response (EDR) systems. Users who may have interacted with the domain should reset credentials for any accounts accessed during the exposure window, particularly if reused across platforms. Multi-factor authentication (MFA) should be enforced for all critical accounts to reduce the impact of stolen credentials. Network monitoring should be heightened for traffic patterns matching this domain or its resolved IP to detect potential lateral movement or data exfiltration attempts. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 3c1378d54608925fe1dff523c02e4f7a TLS cert SHA-256: 8eee813f159c46fc7c39d89b7851830dc4e74d5374b600b43bef74afb2b2e1f2 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/americanmovingco.org/ JSON API: https://api.destroy.tools/v1/check?domain=americanmovingco.org Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 178,009 domains (49,743 alive under monitoring, 128,266 confirmed takedowns/dead). Site: https://phishdestroy.io