# PhishDestroy threat dossier — cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app ================================================================ Fetched: 2026-06-28 18:34:23 UTC Canonical: https://phishdestroy.io/domain/cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Generic Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 21/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, Netcraft, OpenPhish, Sophos, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 34.117.33.233 (US, Kansas City) ASN: ASAS396982 GOOGLE-CLOUD-PLATFORM - Google LLC, US Hosting org: AS396982 Google LLC Registrar: Nom-IQ Limited dba Com Laude Nameservers: ["ns-cloud-b1.googledomains.com", "ns-cloud-b2.googledomains.com", "ns-cloud-b3.googledomains.com", "ns-cloud-b4.googledomains.com"] Page title: Iniciar HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Google Trust Services / WR3 Expires: 2026-08-11 Status: INVALID chain Fingerprint: 1b68168bbc19ac82e040bd079ecd455797ec465689f16867dec29c70402120fd Subject Alternative Names (related infrastructure — often same operator): - replit.app ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-06-25 02:16:23 UTC (by PhishDestroy tracker) Last verified: 2026-06-28 20:20:36 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019efc20-b754-77bb-a998-b7f6f0aa863c/ Wayback Machine: https://web.archive.org/web/*/cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app crt.sh CT logs: https://crt.sh/?q=%25.cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app URLhaus: https://urlhaus.abuse.ch/host/cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-25 03:00:17 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain represents a high-risk generic phishing campaign designed to impersonate account suspension notifications, as indicated by the linguistic structure of its name which suggests urgency and legitimacy. The URL employs a decoy naming convention typical of credential-harvesting or malware-delivery campaigns, specifically targeting users through false claims of imminent account termination. The use of the term "ultimo-aviso" (final warning) is a common social engineering tactic to pressure victims into immediate action, bypassing rational scrutiny. Given the absence of identifiable brand impersonation, this appears to be a generic phishing lure rather than a targeted brand attack. Analysis indicates this infrastructure is actively hosting malicious content, with 13 out of 95 security vendors on VirusTotal flagging the domain as malicious or suspicious as of the latest assessment. The domain is registered through a platform associated with application development environments, which may indicate either abuse of legitimate services or the use of a registrant-controlled infrastructure. The resolving IP address, 34.117.33.233, is a Google Cloud Platform (GCP) address, a common hosting provider for both legitimate and malicious services. No additional blocklist data or historical reputation metrics are available in the current dataset, though the low detection ratio (13.68%) suggests either a newly deployed campaign or one utilizing evasion techniques to delay detection. The domain remains active and accessible, indicating ongoing operational status. Mitigation for this threat requires immediate network-level blocking of the domain and associated IP address to prevent user exposure. Users should be advised to verify any account-related notifications through official channels independent of contact details provided in unsolicited communications. Security teams are recommended to monitor for similar domain patterns, particularly those using urgency-based language and cloud-hosted infrastructure, and to implement DNS sinkholing or web filtering rules targeting newly observed domains with low detection rates. Given the generic nature of the lure, user awareness training emphasizing skepticism toward unsolicited warnings and verification protocols is essential to reduce successful compromise rates. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: b8a0bf372c762e966cc99ede8682bc71 TLS cert SHA-256: 1b68168bbc19ac82e040bd079ecd455797ec465689f16867dec29c70402120fd ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app/ JSON API: https://api.destroy.tools/v1/check?domain=cancelar-proceso-suspencion-en-cuenta--ultimo-aviso.replit.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 172,026 domains (13,415 alive under monitoring, 158,116 confirmed takedowns/dead). Site: https://phishdestroy.io