# PhishDestroy threat dossier — mast103.com
================================================================

Fetched:   2026-05-07 06:06:49 UTC
Canonical: https://phishdestroy.io/domain/mast103.com/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)
Scam classification: Impersonation
Targeted brand: Microsoft
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: redirect_split) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain
URLQuery:        2 detections

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      188.114.96.3 (CA, Toronto)
ASN:             AS13335 Cloudflare, Inc.
Hosting org:     CloudFlare, Inc.
Registrar:       NameSilo, LLC

!!! REGISTRAR INTEGRITY ALERT — NameSilo !!!
NameSilo is a registrar documented by PhishDestroy as (1) publicly lying about
received abuse reports, (2) shielding a $20M+ Monero-theft operation (xmrwallet.com)
for 10 continuous years, and (3) retaliating against PhishDestroy by getting our
X/Twitter account @Phish_Destroy banned after we published the evidence.
Researchers/victims must ALWAYS CC compliance@icann.org on every abuse ticket —
NameSilo has a track record of later claiming reports were never received.
Primary sources:
  https://phishdestroy.io/namesilo-killed-our-twitter
  https://phishdestroy.io/xmrwallet-namesilo-exposed

Nameservers:     elly.ns.cloudflare.com, logan.ns.cloudflare.com
Registered:      2013-10-07
HTTP response:   200

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Google Trust Services / WE1
Expires:    2026-07-30
Status:     INVALID chain
Fingerprint: e94dcd74a1ef100c56270bf452c6aaf77cbedbbc8242ace86e073e39d6a07927

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2013-10-07 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-05-01 15:34:46 UTC (by PhishDestroy tracker)
First reported:    2026-05-01 12:37:15 UTC (abuse notice filed)
Last verified:     2026-05-05 07:19:22 UTC
Neutralised:       2026-05-01 20:02:25 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019de388-0838-750a-a4c7-5b3bec03c6e1/
URLQuery:         https://urlquery.net/report/4d8ab287-c116-4da2-b3bb-6feea5c355b6
Wayback Machine:  https://web.archive.org/web/*/mast103.com
crt.sh CT logs:   https://crt.sh/?q=%25.mast103.com
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=mast103.com
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/mast103.com
URLhaus:          https://urlhaus.abuse.ch/host/mast103.com/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-05-01 15:35:47 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

mast103.com has been identified as a phishing domain designed to mimic Microsoft Account login pages to steal user credentials.  PhishDestroy identifies this domain as a Microsoft Account phishing scam based on its active status and zero detections across 95 VirusTotal scanning engines as of the latest analysis. Technical indicators reveal the domain was registered through NameSilo, LLC on October 07, 2013, and currently resolves to IP address 188.114.96.3. The presence of a Google Trust Services SSL certificate adds superficial legitimacy, which threat actors commonly exploit to deceive visitors. Given the domain's age contradicts its recent malicious activity, users should exercise heightened caution when encountering similar login prompts.  The combination of an aged domain, low detection rate, and hosting infrastructure linked to known malicious activity raises significant concerns about its use in credential harvesting campaigns. PhishDestroy's investigation highlights how threat actors leverage legitimate domain registration services and trusted SSL providers to obfuscate phishing operations. While the immediate risk remains unquantified, the lack of antivirus coverage suggests this campaign remains in early stages of deployment.  If you visited mast103.com or entered any credentials, immediately change passwords for all Microsoft accounts and enable multi-factor authentication. Scan your device with updated antivirus software and monitor accounts for unauthorized access. Report the domain to your organization's security team or through PhishDestroy's portal to contribute to collective threat intelligence. Exercise extreme caution with unsolicited login prompts and verify sender addresses before interacting with any emails claiming to be from Microsoft.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260501-49BD56
Favicon MD5:       ea0687e654f6b1a1090c0421a9a4305e
TLS cert SHA-256:      e94dcd74a1ef100c56270bf452c6aaf77cbedbbc8242ace86e073e39d6a07927

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/mast103.com/
JSON API:          https://api.destroy.tools/v1/check?domain=mast103.com
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 146,667 domains (58,438 alive under monitoring, 87,955 confirmed takedowns/dead). Site: https://phishdestroy.io