# PhishDestroy threat dossier — neobali.online
================================================================

Fetched:   2026-06-29 18:00:15 UTC
Canonical: https://phishdestroy.io/domain/neobali.online/

## VERDICT
----------------------------------------------------------------
ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims
Composite threat score: 70/100 (PhishDestroy scoring — see methodology below)
Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      0/91 security vendors flagged this domain
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      64.29.17.1 (US, Walnut)
ASN:             ASAS16509 AMAZON-02 - Amazon.com, Inc., US
Hosting org:     AS16509 Amazon.com, Inc.
Registrar:       HOSTINGER operations, UAB
Nameservers:     ["ns1.dns-parking.com", "ns2.dns-parking.com"]
Page title:      Инвестиционная недвижимость на Бали от застройщика — Neo Bali
HTTP response:   200

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
First detected:    2026-06-29 07:58:33 UTC (by PhishDestroy tracker)
First reported:    2026-06-29 06:05:16 UTC (abuse notice filed)
Last verified:     2026-06-29 16:20:35 UTC
Current status:    ACTIVE — cloaked behind HTTP 666 to evade scanners

## EXTERNAL CORROBORATION (third-party evidence)
----------------------------------------------------------------
URLScan.io:       https://urlscan.io/result/019f11f4-10e4-72aa-8b1a-5c29194ae47c/
URLQuery:         https://urlquery.net/report/5fa0feb9-5911-45e4-8b43-7ff5b0500148
Wayback Machine:  https://web.archive.org/web/*/neobali.online
crt.sh CT logs:   https://crt.sh/?q=%25.neobali.online
Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=neobali.online
AlienVault OTX:   https://otx.alienvault.com/indicator/domain/neobali.online
URLhaus:          https://urlhaus.abuse.ch/host/neobali.online/

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-29 08:05:26 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

The domain neobali.online is categorized under the specific threat type of generic phishing, currently holding an active status. This domain appears to target individuals seeking investment opportunities by utilizing a misleading page title that translates to 'Investment real estate in Bali from the developer – Neo Bali'. It does not impersonate any known brand directly but raises significant concerns regarding its legitimacy.

Analysis reveals that neobali.online is not flagged by any vendors as it currently shows 0 of 95 detections on VirusTotal, indicating it has not been identified as a threat internally within that database. The domain resolves to IP address 216.198.79.1, and is associated with a Let's Encrypt SSL certificate. Information about the registrar is not specified in the provided data, and the domain’s creation date also remains undisclosed. Currently, it has not appeared on any blocklists, receiving an initial trust score of zero from known security infrastructures, which remains a concern for potential users trying to assess its safety.

The current status of neobali.online is under investigation. It is strongly recommended that users exercise extreme caution and refrain from interacting with this domain in any manner. Security teams should monitor this domain closely for any changes in status or reported malicious activity. Implementing phishing detection measures on organizational networks and raising user awareness about the potential dangers of investment-related websites can mitigate risks associated with this domain.

## EVIDENCE HASHES
----------------------------------------------------------------
PhishDestroy Case ID:  PD-20260629-3FDDC5
Favicon MD5:       1dcda6e685f20cfc067563355676cda1

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/neobali.online/
JSON API:          https://api.destroy.tools/v1/check?domain=neobali.online
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 172,677 domains (13,179 alive under monitoring, 158,908 confirmed takedowns/dead). Site: https://phishdestroy.io