# PhishDestroy threat dossier — ecuador360.travel ================================================================ Fetched: 2026-07-18 12:54:30 UTC Canonical: https://phishdestroy.io/domain/ecuador360.travel/ ## VERDICT ---------------------------------------------------------------- CRITICAL THREAT — DO NOT VISIT Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Brand Impersonation Targeted brand: Aave ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 9/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, CRDF, Emsisoft, Fortinet, Gridinsoft, Kaspersky, Netcraft, SOCRadar, Webroot URLQuery: 2 detections AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 192.185.188.140 (US, Ashburn) ASN: AS31898 Oracle Corporation Hosting org: Oracle Corporation Registrar: EnCirca, Inc. Nameservers: ns1187.websitewelcome.com, ns1188.websitewelcome.com Registered: 2011-01-05 Expires: 2027-01-04 Page title: Not Acceptable! HTTP response: 406 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-21 Status: INVALID chain Fingerprint: 9f89d3306e3d11e29f46de9f3969189046fa8428ea21e72d1afc6fa6ec74275d ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2011-01-05 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-07-12 13:16:48 UTC (by PhishDestroy tracker) First reported: 2026-07-12 18:24:06 UTC (abuse notice filed) Last verified: 2026-07-18 14:48:00 UTC Current status: ACTIVE / observable ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f560a-dee4-7781-af1d-c5841d01229f/ URLQuery: https://urlquery.net/report/d52c9a2e-2f2e-41e1-8025-8b079c7153cd Wayback Machine: https://web.archive.org/web/*/ecuador360.travel crt.sh CT logs: https://crt.sh/?q=%25.ecuador360.travel Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=ecuador360.travel AlienVault OTX: https://otx.alienvault.com/indicator/domain/ecuador360.travel URLhaus: https://urlhaus.abuse.ch/host/ecuador360.travel/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-12 17:19:28 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] ecuador360.travel Safety Check — Aave Brand Impersonation This domain is flagged as a high‑risk brand‑impersonation site targeting Aave. The domain ecuador360.travel is actively registered and resolves to the IP address 192.185.188.140, which is geolocated to the United States and associated with Oracle Corporation infrastructure. The site presents an HTTP 406 response, indicating that the server is refusing content negotiation, a behavior sometimes observed in phishing infrastructure that aims to impede automated analysis. The registration record shows the domain was created on January 5 2011 and is managed through EnCirca, Inc. The authoritative name servers are ns1187.websitewelcome.com and ns1188.websitewelcome.com, both typical of shared‑hosting environments. The web service runs Apache HTTP Server and serves a Let’s Encrypt R12 TLS certificate, confirming that the site is reachable over HTTPS and is using a publicly trusted certificate authority. Threat intelligence sources add weight to the suspicion: AlienVault OTX has referenced the domain in two separate pulses, and it appears on one public security blocklist. PhishDestroy has already blocked the domain, and VirusTotal reports that nine out of ninety‑five scanning engines have flagged the domain as malicious. These indicators collectively suggest that the domain is being leveraged for credential‑harvesting or related fraudulent activity aimed at Aave users. Defenders should prioritize immediate containment by adding ecuador360.travel to network and endpoint blocklists, and by configuring DNS sinks or redirects to prevent user access. Continuous monitoring of the associated IP address and the hosting name servers is advised, as threat actors may shift payloads or create additional impersonation pages under the same infrastructure. Incident response teams should also watch for any email or web traffic that references Aave branding and the domain, and consider gathering forensic artifacts from any compromised user sessions for deeper analysis. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260712-C6EA88 Favicon MD5: 034024182d985cdf87685750ceae9695 TLS cert SHA-256: 9f89d3306e3d11e29f46de9f3969189046fa8428ea21e72d1afc6fa6ec74275d ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/ecuador360.travel/ JSON API: https://api.destroy.tools/v1/check?domain=ecuador360.travel Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,950 domains (51,348 alive under monitoring, 128,602 confirmed takedowns/dead). Site: https://phishdestroy.io