# PhishDestroy threat dossier — emmacoichoes.com ================================================================ Fetched: 2026-07-02 22:51:03 UTC Canonical: https://phishdestroy.io/domain/emmacoichoes.com/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 77/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 2/91 security vendors flagged this domain Flagging vendors: Gridinsoft, SOCRadar AlienVault OTX: 1 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 216.150.1.1 (US, Walnut) ASN: ASAS16509 AMAZON-02 - Amazon.com, Inc., US Hosting org: AS16509 Amazon.com, Inc. Registrar: Fewmoretaps OU d/b/a Trustname.com !!! REGISTRAR INTEGRITY ALERT — Trustname / Fewmoretaps OU !!! Trustname (IANA #4318) is a shell company declaring EUR 120 annual revenue, 1 employee, negative equity, Belarusian ownership. Explicitly advertises itself as 'bulletproof' in its DNS TXT records. Primary source: https://phishdestroy.io/trustname-bulletproof-exposed Nameservers: ares.trustname.com, ns1.anycastdns.cz, ns2.anycastdns.cz, zeus.trustname.com Registered: 2026-06-18 Expires: 2027-06-18 Page title: Colchões | Conforto Premium HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-06-18 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-06-28 16:17:39 UTC (by PhishDestroy tracker) First reported: 2026-06-28 15:15:25 UTC (abuse notice filed) Last verified: 2026-07-03 00:47:30 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f0e96-553f-734d-ae4e-af30f3c61725/ URLQuery: https://urlquery.net/report/9b252fea-7ab6-44cf-bc51-e84acb7ac196 Wayback Machine: https://web.archive.org/web/*/emmacoichoes.com crt.sh CT logs: https://crt.sh/?q=%25.emmacoichoes.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=emmacoichoes.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/emmacoichoes.com URLhaus: https://urlhaus.abuse.ch/host/emmacoichoes.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-28 17:35:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] The risk level for emmacoichoes.com is elevated, and the specific threat type is credential theft phishing. The domain was created on June 18, 2026, and has been flagged by 1 out of 95 security vendors on VirusTotal. This suggests that while the domain may not have widespread recognition as malicious, it has already been identified by at least one vendor, indicating a potential risk. Infrastructure analysis reveals that emmacoichoes.com is registered through Fewmoretaps OU d/b/a Trustname.com and resolves to the IP address 216.150.1.1. The domain is also listed in one threat intelligence pulse on AlienVault OTX, further supporting its classification as a potential threat. The SSL certificate is issued by Let's Encrypt, a common choice for phishing sites due to its ease of use and legitimacy in appearance. The combination of these indicators, including the low VirusTotal score, the recent creation date, and the presence in blocklists, underscores the need for vigilance and proactive measures. To mitigate the risk of credential theft, organizations should implement multi-factor authentication (MFA) for all critical accounts and services. Employees should be trained to recognize phishing attempts, including suspicious email links and unexpected requests for sensitive information. Additionally, regular updates to security policies and the use of web filters to block known malicious domains can help prevent unauthorized access and data breaches. Network administrators should monitor traffic to and from this domain and consider blacklisting it to prevent any potential data exfiltration or credential harvesting activities. ## EVIDENCE HASHES ---------------------------------------------------------------- PhishDestroy Case ID: PD-20260628-26B077 Favicon MD5: 97c0d0cd4b85290523bfefc99012f044 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/emmacoichoes.com/ JSON API: https://api.destroy.tools/v1/check?domain=emmacoichoes.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 174,015 domains (14,079 alive under monitoring, 159,195 confirmed takedowns/dead). Site: https://phishdestroy.io