# PhishDestroy threat dossier — enus-exodsu.wixstudio.com ================================================================ Fetched: 2026-05-01 16:42:14 UTC Canonical: https://phishdestroy.io/domain/enus-exodsu.wixstudio.com/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 67/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 4/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, Cluster25, CRDF, Gridinsoft ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 34.144.206.118 (US, Kansas City) ASN: AS396982 Google LLC Hosting org: Google Cloud Registrar: GoDaddy.com, LLC Nameservers: ["dns1.p08.nsone.net", "dns2.p08.nsone.net", "dns3.p08.nsone.net", "dns4.p08.nsone.net"] Registered: 2026-04-26 Page title: 404 Error: Page Not Found | Wix Studio HTTP response: 404 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-06-04 Status: INVALID chain Fingerprint: 79b690ec6aae60ba0de52d269638de0a570e5a2c2e467d8b649454d39b9edaab Subject Alternative Names (related infrastructure — often same operator): - wixstudio.com ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-26 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-26 16:50:57 UTC (by PhishDestroy tracker) Last verified: 2026-04-28 19:40:21 UTC Neutralised: 2026-04-28 09:15:18 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019dca0c-c43b-741e-a516-65d27e8f6627/ Wayback Machine: https://web.archive.org/web/*/enus-exodsu.wixstudio.com crt.sh CT logs: https://crt.sh/?q=%25.enus-exodsu.wixstudio.com Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=enus-exodsu.wixstudio.com AlienVault OTX: https://otx.alienvault.com/indicator/domain/enus-exodsu.wixstudio.com URLhaus: https://urlhaus.abuse.ch/host/enus-exodsu.wixstudio.com/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-04-26 16:51:44 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies enus-exodsu.wixstudio.com as a live phishing lure that masquerades as a legitimate login interface to trick users into surrendering sensitive credentials. This generic phishing page, detected under seed 73881c, is currently active and remains undetected by VirusTotal engines, showing 0 out of 95 detections. The domain resolves to the IP address 34.144.206.118, which hosts the landing page served via a Let’s Encrypt SSL certificate, indicating the operators are leveraging free certificates to boost perceived legitimacy and potentially evade inspection. While historical WHOIS records list Wix.com as the hosting platform, there are no confirmed blocklist entries or trust-score penalties at this time, underscoring the value of proactive domain blocking before detection engines catch up. Domain-specific telemetry confirms the page is operational and designed to harvest usernames and passwords under false pretenses, with no legitimate business purpose apparent from open-source intelligence. The current risk level is rated under_investigation, reflecting ongoing monitoring rather than dismissal; phishing lures frequently migrate across IP blocks and hostnames to avoid takedowns, so the absence of detections cannot be interpreted as safety. Users or organizations encountering this domain on internal logs, proxies, or endpoints should flag it immediately for further sandbox analysis and incident response. Mitigation against this domain centers on credential-harvesting prevention and reducing exposure to the infrastructure. Disable write access to browser credential stores on managed endpoints, enforce multi-factor authentication on all external portals, and configure email gateways to quarantine messages containing links to the domain. At the network layer, block both the hostname enus-exodsu.wixstudio.com and the resolved IP 34.144.206.118 via DNS sinkholing and firewall rules; rotate any credentials that may have been exposed via this campaign. Lastly, extract indicators from proxy logs for IOC enrichment and share with threat-intelligence platforms to accelerate detection rollout across the community. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 0f98b704c93538fcb68377c679051b5a TLS cert SHA-256: 79b690ec6aae60ba0de52d269638de0a570e5a2c2e467d8b649454d39b9edaab ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/enus-exodsu.wixstudio.com/ JSON API: https://api.destroy.tools/v1/check?domain=enus-exodsu.wixstudio.com Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 131,000+ phishing domains. Confirmed takedowns: 91,000+. Site: https://phishdestroy.io