# PhishDestroy threat dossier — midfloridacu.at ================================================================ Fetched: 2026-07-09 04:15:52 UTC Canonical: https://phishdestroy.io/domain/midfloridacu.at/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_divergence) (score: 4/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 13/91 security vendors flagged this domain Flagging vendors: alphaMountain.ai, BitDefender, CRDF, CyRadar, ESET, Fortinet, G-Data, Google Safebrowsing, LevelBlue, Lionic, SOCRadar, Sophos, Webroot AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist Google Safe Browsing: FLAGGED ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 107.189.26.168 (NL, Zaandam) ASN: AS14956 RouterHosting LLC Hosting org: FranTech Solutions Registrar: Hosting concepts B.V. / Registrar.eu ( https://nic.at/registrar/648 ) Nameservers: a.dnspod.com, b.dnspod.com, c.dnspod.com HTTP response: 404 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-09 02:47:36 UTC (by PhishDestroy tracker) Last verified: 2026-07-09 04:25:13 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f4457-7726-75d2-baa0-f9ce2b0d3710/ Wayback Machine: https://web.archive.org/web/*/midfloridacu.at crt.sh CT logs: https://crt.sh/?q=%25.midfloridacu.at Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=midfloridacu.at AlienVault OTX: https://otx.alienvault.com/indicator/domain/midfloridacu.at URLhaus: https://urlhaus.abuse.ch/host/midfloridacu.at/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-09 02:55:33 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, midfloridacu.at, is actively engaged in credential harvesting by impersonating the legitimate online banking portal of MidFlorida Credit Union. Analysis indicates the site is designed to mimic the authentic login interface, tricking users into submitting sensitive financial credentials, including usernames, passwords, and multifactor authentication codes. The threat extends to potential account takeover, unauthorized fund transfers, and identity theft, given the targeted nature of financial phishing campaigns. The domain is classified under the SOCIAL_ENGINEERING category, confirming its intent to deceive users through fraudulent representations of trust. Evidence supporting the malicious classification includes detection by 13 out of 95 security vendors on VirusTotal, with Google Safe Browsing explicitly flagging it for SOCIAL_ENGINEERING. The domain was registered through Hosting Concepts B.V. via Registrar.eu, a provider frequently associated with bulletproof hosting and low-reputation registrations. Infrastructure analysis reveals the domain resolves to the IP address 107.189.26.168, an address previously linked to multiple phishing and malware distribution campaigns. The SSL certificate is issued by Let’s Encrypt, a common tactic to lend superficial legitimacy while avoiding the scrutiny of paid certificates. Additionally, AlienVault OTX records the domain in two distinct threat intelligence pulses, further corroborating its association with malicious activity. Users who have visited midfloridacu.at or entered credentials on the site should immediately take corrective action. First, revoke any active sessions on the legitimate MidFlorida Credit Union platform and change all associated passwords using a secure, non-compromised device. Enable multifactor authentication if not already active, and monitor account statements for unauthorized transactions. If financial data or personal information was submitted, contact the financial institution directly to report potential fraud and request account monitoring. Network administrators should block the domain and its resolving IP (107.189.26.168) at the perimeter to prevent further exposure. Users are advised to verify the legitimacy of any financial login portal by cross-referencing the URL with the official domain provided by the institution and looking for HTTPS indicators with a valid, organization-issued certificate. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: a981dd3d4145c402fd5de579465fa813 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/midfloridacu.at/ JSON API: https://api.destroy.tools/v1/check?domain=midfloridacu.at Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 176,446 domains (40,862 alive under monitoring, 135,561 confirmed takedowns/dead). Site: https://phishdestroy.io