# PhishDestroy threat dossier — iforget.ubicacion-cloud.info ================================================================ Fetched: 2026-05-24 08:14:53 UTC Canonical: https://phishdestroy.io/domain/iforget.ubicacion-cloud.info/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: status_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 8/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, CRDF, ESET, Fortinet, G-Data, SOCRadar Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 161.97.140.80 (FR, Lauterbourg) ASN: AS51167 Contabo GmbH Hosting org: Contabo GmbH Registrar: NameSilo, LLC !!! REGISTRAR INTEGRITY ALERT — NameSilo !!! NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com) for 10 continuous years, and (3) retaliating against PhishDestroy by getting our X/Twitter account @Phish_Destroy banned after we published the evidence. Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket — NameSilo has a track record of later claiming reports were never received. Primary sources: https://phishdestroy.io/namesilo-killed-our-twitter https://phishdestroy.io/xmrwallet-namesilo-exposed Nameservers: ["ns1.tacomovilserver.us", "ns2.tacomovilserver.us"] Registered: 2026-05-23 Page title: No Internet HTTP response: 530 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / R12 Expires: 2026-08-08 Status: INVALID chain Fingerprint: 6ca59b4a808b84545e3c24cf2b47c5b26ef266319b64772f0c0559da11a2f701 Subject Alternative Names (related infrastructure — often same operator): - autodiscover.assist.ubicacion-cloud.info - autodiscover.ubicacion-cloud.info - cpanel.assist.ubicacion-cloud.info - cpanel.ubicacion-cloud.info - cpcalendars.assist.ubicacion-cloud.info - cpcalendars.ubicacion-cloud.info - cpcontacts.assist.ubicacion-cloud.info - cpcontacts.ubicacion-cloud.info - device.ubicacion-cloud.info - webdisk.assist.ubicacion-cloud.info - webdisk.ubicacion-cloud.info - webmail.assist.ubicacion-cloud.info - webmail.ubicacion-cloud.info ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-05-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-23 17:24:40 UTC (by PhishDestroy tracker) Last verified: 2026-05-24 03:30:58 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e5538-9ea6-7747-b166-672a52ea6179/ Wayback Machine: https://web.archive.org/web/*/iforget.ubicacion-cloud.info crt.sh CT logs: https://crt.sh/?q=%25.iforget.ubicacion-cloud.info Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=iforget.ubicacion-cloud.info AlienVault OTX: https://otx.alienvault.com/indicator/domain/iforget.ubicacion-cloud.info URLhaus: https://urlhaus.abuse.ch/host/iforget.ubicacion-cloud.info/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-05-23 17:25:26 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] PhishDestroy identifies the active credential theft phishing domain iforget.ubicacion-cloud.info as a significant threat to users seeking to access legitimate cloud services. This domain is currently engaged in phishing operations designed to harvest login credentials, exposing victims to direct account compromise and potential follow-on attacks such as identity theft or corporate data breaches. The risk level for this domain is classified as elevated due to its active status, confirmed malicious indicators, and presence on multiple security blocklists. This domain was flagged by PhishDestroy after analysis revealed multiple indicators of compromise. The domain resolves to IP address 161.97.140.80 and is associated with a Let's Encrypt SSL certificate, which may be used to lend false legitimacy to phishing pages. VirusTotal analysis shows that 8 out of 95 security vendors have flagged this domain as malicious, indicating a high level of suspicion within the threat intelligence community. The domain is currently blocked by OpenPhish, a leading real-time phishing URL blocklist, and appears on one additional security blocklist, further corroborating its malicious nature. The domain is likely recently registered, consistent with the tactics of opportunistic phishing campaigns that leverage newly created domains to evade detection. To mitigate the risk posed by iforget.ubicacion-cloud.info, users and organizations are advised to immediately block the domain at the network and DNS levels using available threat intelligence feeds. Employees should be warned not to interact with this domain or any subdomains under ubicacion-cloud.info. If credentials were entered into a page hosted on this domain, users should immediately change passwords for the affected account and enable multi-factor authentication where available. Security teams should inspect DNS logs and proxy logs for any outbound connections to this IP or domain, and consider blocking the IP address 161.97.140.80 at the firewall level. Users are also encouraged to report this domain through their organization's incident reporting channels and to local CERT teams if personal data was exposed. ## EVIDENCE HASHES ---------------------------------------------------------------- TLS cert SHA-256: 6ca59b4a808b84545e3c24cf2b47c5b26ef266319b64772f0c0559da11a2f701 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/iforget.ubicacion-cloud.info/ JSON API: https://api.destroy.tools/v1/check?domain=iforget.ubicacion-cloud.info Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 152,979 domains (39,994 alive under monitoring, 112,610 confirmed takedowns/dead). Site: https://phishdestroy.io