# PhishDestroy threat dossier — xfactor300.vercel.app ================================================================ Fetched: 2026-07-07 15:26:10 UTC Canonical: https://phishdestroy.io/domain/xfactor300.vercel.app/ ## VERDICT ---------------------------------------------------------------- ACTIVE + CLOAKED — returns HTTP 666 to scanners, real fraudulent site to victims Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Cloaking: DETECTED — domain returns custom HTTP 666 to scanners while serving fraudulent content to real users (type: content_split) (score: 1/6) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 18/91 security vendors flagged this domain Flagging vendors: Criminal IP, alphaMountain.ai, BitDefender, CyRadar, Ermes, ESET, Emsisoft, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Kaspersky, LevelBlue, Lionic, MalwareURL, Netcraft, Sophos, Webroot Public blocklists: listed on 2 independent blocklists ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 64.29.17.131 (US, Walnut) ASN: AS16509 Amazon.com, Inc. Hosting org: Vercel, Inc Registrar: Vercel Inc. Nameservers: NS_NOT_FOUND Page title: Sign in to Xfinity HTTP response: 200 ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- First detected: 2026-07-07 14:16:50 UTC (by PhishDestroy tracker) Last verified: 2026-07-07 16:25:20 UTC Current status: ACTIVE — cloaked behind HTTP 666 to evade scanners ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019f3c81-23db-7378-ab6c-17599b0f3ba4/ Wayback Machine: https://web.archive.org/web/*/xfactor300.vercel.app crt.sh CT logs: https://crt.sh/?q=%25.xfactor300.vercel.app Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=xfactor300.vercel.app AlienVault OTX: https://otx.alienvault.com/indicator/domain/xfactor300.vercel.app URLhaus: https://urlhaus.abuse.ch/host/xfactor300.vercel.app/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-07-07 14:55:45 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain is flagged as an active credential theft operation impersonating Xfinity, a major telecommunications provider. The site presents a fraudulent login interface designed to harvest user credentials, including usernames, passwords, and potentially multifactor authentication codes. Analysis indicates the threat actor is specifically targeting customers of the legitimate service, likely for account takeover, unauthorized access to billing information, or further social engineering attacks. The use of a familiar brand interface increases the likelihood of successful deception, particularly among users expecting legitimate login prompts. Infrastructure analysis reveals multiple technical indicators supporting the elevated risk assessment. The domain xfactor300.vercel.app is registered through Vercel Inc. and resolves to the IP address 64.29.17.131. Security vendors have flagged this domain at a rate of 18 out of 95 on VirusTotal, a significant detection ratio that exceeds typical false positive thresholds. The site employs a valid SSL certificate issued by Google Trust Services, which may mislead users into perceiving the page as secure. Detected technologies include Tailwind CSS for styling, Vercel for hosting, and HTTP Strict Transport Security (HSTS) headers, suggesting the threat actor has implemented basic security measures to avoid immediate detection by automated systems. Users who have visited xfactor300.vercel.app or entered credentials on the site should take immediate action to mitigate potential compromise. First, reset passwords for the legitimate Xfinity service and any other accounts where the same credentials may have been reused. Enable multifactor authentication if not already active, using an authenticator app or hardware token rather than SMS-based methods. Monitor financial statements and account activity for unauthorized transactions or changes. If personal or payment information was entered, consider placing a fraud alert or credit freeze with relevant bureaus. Organizations should block the domain and associated IP address at the network level and update endpoint protection rules to prevent access. Users are advised to report the incident to the legitimate service provider and relevant cybersecurity authorities to aid in tracking and takedown efforts. ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/xfactor300.vercel.app/ JSON API: https://api.destroy.tools/v1/check?domain=xfactor300.vercel.app Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 175,813 domains (12,767 alive under monitoring, 162,081 confirmed takedowns/dead). Site: https://phishdestroy.io