Skip to main content

Phishing targeting Luxembourg services (hosted and served on/from AWS)

Medium
Published: Tue Dec 19 2023 (12/19/2023, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: tlp
Product: clear

Description

Phishing targeting Luxembourg services (hosted and served on/from AWS)

AI-Powered Analysis

AILast updated: 07/05/2025, 22:54:42 UTC

Technical Analysis

This threat involves a phishing campaign specifically targeting services related to Luxembourg, with the phishing infrastructure hosted and served from Amazon Web Services (AWS). The attack technique employed is a classic phishing method (MITRE ATT&CK T1566), where attackers create fake websites designed to impersonate legitimate Luxembourg-based services. These fake websites aim to deceive users into divulging sensitive information such as login credentials, personal data, or financial details. The psychological acceptability of the phishing attempt is rated high, indicating that the phishing pages are crafted to appear highly credible and trustworthy, increasing the likelihood of user interaction and successful credential harvesting. The campaign leverages the cloud infrastructure of AWS, which can provide attackers with scalable and resilient hosting, making takedown efforts more challenging. Although no specific affected software versions or patches are identified, the threat remains persistent and perpetual, as indicated by the OSINT lifetime tag. No known exploits in the wild have been reported, but the medium severity rating reflects the potential risk posed by successful phishing attempts, which can lead to unauthorized access, data breaches, and subsequent lateral movement within targeted organizations.

Potential Impact

For European organizations, especially those operating in or with Luxembourg, this phishing threat poses significant risks. Successful phishing can lead to credential compromise, unauthorized access to sensitive systems, and potential data breaches affecting confidentiality and integrity. Luxembourg is a key financial and administrative hub in Europe, so organizations there often handle sensitive financial data, personal information, and critical infrastructure services. A successful phishing attack could disrupt business operations, damage reputations, and lead to regulatory penalties under GDPR due to data exposure. Additionally, compromised credentials could be used to pivot into other European networks, amplifying the impact beyond Luxembourg. The use of AWS hosting complicates incident response and takedown efforts, potentially prolonging exposure and increasing the window of opportunity for attackers.

Mitigation Recommendations

To mitigate this threat, European organizations should implement targeted anti-phishing measures beyond generic advice. These include deploying advanced email filtering solutions that leverage machine learning to detect and block phishing emails targeting Luxembourg services. Organizations should conduct regular, realistic phishing simulation exercises tailored to the threat landscape of Luxembourg-based services to raise user awareness and resilience. Implementing multi-factor authentication (MFA) is critical to reduce the impact of credential compromise. Monitoring for domain registrations and hosting activity on AWS that mimic legitimate Luxembourg services can help identify phishing infrastructure early. Collaboration with AWS abuse teams to report and expedite takedown of malicious hosting is essential. Additionally, organizations should enhance endpoint detection and response (EDR) capabilities to identify suspicious activity resulting from successful phishing. Finally, maintaining up-to-date threat intelligence feeds focused on phishing campaigns targeting Luxembourg will help in proactive defense.

Need more detailed analysis?Get Pro

Technical Details

Uuid
f3290493-8f74-4220-aa04-b83408e37a0c
Original Timestamp
1721049635

Indicators of Compromise

Ip

ValueDescriptionCopy
ip18.117.184.102
ip54.93.211.218
ip35.177.103.239
ip3.71.1.255
ip51.20.69.186
ip3.71.1.255
ip3.71.1.255
ip54.170.251.238
ip3.79.236.229
ip52.59.212.17
ip16.171.58.164
ip52.58.64.31
ip44.200.31.79
ip3.71.1.255
ip44.200.31.79
ip54.155.71.44
ip18.197.141.155
ip3.64.63.56
ip50.112.61.79
ip13.60.60.38
ip13.60.60.3
ip3.79.3.191

Domain

ValueDescriptionCopy
domainccss-public.com
domaincns-lu.com
domainluxtrust.support
domainluxtrust.help
domainwww-cns-lu.com
domainwww-cns.com
domainluxtrust-cancel.com
domainluxtrust-unlock.com
domainccss-sante-lu.com
domainccss.support
domaincfl-lu.com
domainccss.support
domaincfl-lu.com
domain3-71-1-255.plesk.page
domainquizzical-feistel.3-71-1-255.plesk.page
domainec2-3-71-1-255.eu-central-1.compute.amazonaws.com
domainsante-lu.com
domain13.48.203.238
domainluxtrust-help.com
domainluxtrust-help.com
domainpublic-ccss.com
domainpublic-ccss.com
domainhelp-luxtrust.lu
domainhelp-luxtrust.lu
domain3.82.24.34
domaininfoluxtrust.com
domainluxtrust.help
domain3.82.24.34
domain3.82.24.34
domainorder-public.com
domainsupport-luxtrust.com
domainguichet.me
domaincfl-lu.com
domaincfl-lu.com
domaincard-order.lu
domaincard-order.lu
domainpayconiq.direct
domainpayconiq.direct
domainpayconiq.tel
domain18.197.141.155
domainpayconiq.support
domainapp-luxtrust.com
domainpayconiq-blocage.com
domainpayconiq-suspension.net
domainupdate-lu.com
domainluxtrust-support.com
domainluxtrust-support.com

Url

ValueDescriptionCopy
urlhttps://public-ccss.com/index.php
urlhttps://sante-lu.com/index.php
urlhttps://sante-lu.com/
urlhttps://public-ccss.com/index.php
urlhttps://help-luxtrust.lu/index.php?success=validatedok
urlhttps://carte-sante-lu.com/index.php?success=validatedok
urlhttps://cns-order.com/
urlhttps://infoluxtrust.com/steps/luxtrust/
urlhttps://luxtrust.help/
urlhttps://ccss.digital/
urlhttps://etat-public.lu
urlhttps://public-order.lu/
urlhttps://c0nbrjdy.r.us-east-1.awstrack.me/L0/https:%2F%2Fpublic-order.lu/1/0100018ef98d16dd-9631e726-429b-4ad6-90a9-e25371506197-000000/7x9NDhmFipPjGlHSTAfnvM2JBjw=370
urlhttps://order-public.com/
urlhttps://support-luxtrust.com/
urlhttps://guichet.me/login_up.php
urlhttps://support-luxtrust.lu/
urlpayconiq.support
urlhttps://app-luxtrust.com/LUXTRUST/
urlhttp://payconiq-blocage.com/
urlhttp://update-lu.com
urlhttps://luxtrust-support.com/Luxtrust/
urlhttps://luxtrust-support.com/Luxtrust/

Counter

ValueDescriptionCopy
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter6
counter2
counter5
counter1
counter1
counter1
counter3
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter2
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter1
counter3
counter6

Text

ValueDescriptionCopy
texthttps://www.circl.lu/pdns/
textA
text18.117.184.102
textluxtrust.help
texthttps://www.circl.lu/pdns/
textA
text18.117.184.102
textluxtrust.support
texthttps://www.circl.lu/pdns/
textNS
textns-137.awsdns-17.com
textluxtrust.support
texthttps://www.circl.lu/pdns/
textNS
textns-1028.awsdns-00.org
textluxtrust.support
texthttps://www.circl.lu/pdns/
textNS
textns-1684.awsdns-18.co.uk
textluxtrust.support
texthttps://www.circl.lu/pdns/
textNS
textns-566.awsdns-06.net
textluxtrust.support
texthttps://www.circl.lu/pdns/
textSOA
textns-566.awsdns-06.net awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
textluxtrust.support
texthttps://www.circl.lu/pdns/
textNS
textns-417.awsdns-52.com
textcns-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-1004.awsdns-61.net
textcns-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-1064.awsdns-05.org
textcns-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-1932.awsdns-49.co.uk
textcns-lu.com
texthttps://www.circl.lu/pdns/
textA
text18.117.184.102
textcns-lu.com
texthttps://www.circl.lu/pdns/
textSOA
textns-1064.awsdns-05.org awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
textcns-lu.com
texthttps://www.circl.lu/pdns/
textA
text54.211.144.11
textccss-public.com
texthttps://www.circl.lu/pdns/
textA
text18.117.184.102
textccss-public.com
texthttps://www.circl.lu/pdns/
textA
text54.93.211.218
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-1809.awsdns-34.co.uk
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-800.awsdns-36.net
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-1377.awsdns-44.org
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-185.awsdns-23.com
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textA
text35.177.103.239
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textA
text54.93.211.218
textluxtrust.co
texthttps://www.circl.lu/pdns/
textA
text54.93.211.218
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textA
text35.177.103.239
texttango-lu.com
texthttps://www.circl.lu/pdns/
textA
text35.177.103.239
textwww-cns-lu.com
texthttps://www.circl.lu/pdns/
textA
text35.177.103.239
textluxtrust.co
texthttps://www.circl.lu/pdns/
textA
text3.71.1.255
textcns-public.eu
texthttps://www.circl.lu/pdns/
textA
text3.71.1.255
textccss-lu.eu
texthttps://www.circl.lu/pdns/
textA
text3.71.1.255
textwww-cns-lu.com
textHTTPS
texthttps://www.circl.lu/pdns/
textA
text13.48.203.238
textluxtrust-cancel.com
texthttps://www.circl.lu/pdns/
textNS
textns-1194.awsdns-21.org
textwww-cns.com
texthttps://www.circl.lu/pdns/
textNS
textns-1016.awsdns-63.net
textwww-cns.com
texthttps://www.circl.lu/pdns/
textNS
textns-356.awsdns-44.com
textwww-cns.com
texthttps://www.circl.lu/pdns/
textNS
textns-2013.awsdns-59.co.uk
textwww-cns.com
texthttps://www.circl.lu/pdns/
textSOA
textns-356.awsdns-44.com awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
textwww-cns.com
texthttps://www.circl.lu/pdns/
textA
text13.48.203.238
textwww-cns.com
text3705060
textYes
textCCSS
textAmazon Technologies Inc.
texthttps://www.circl.lu/pdns/
textA
text35.180.136.109
textluxtrust-unlock.com
texthttps://www.circl.lu/pdns/
textNS
textns-1769.awsdns-29.co.uk
textluxtrust-unlock.com
texthttps://www.circl.lu/pdns/
textNS
textns-668.awsdns-19.net
textluxtrust-unlock.com
texthttps://www.circl.lu/pdns/
textNS
textns-1148.awsdns-15.org
textluxtrust-unlock.com
texthttps://www.circl.lu/pdns/
textNS
textns-508.awsdns-63.com
textluxtrust-unlock.com
texthttps://www.circl.lu/pdns/
textSOA
textns-1769.awsdns-29.co.uk awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
textluxtrust-unlock.com
texthttps://www.circl.lu/pdns/
textNS
textns-296.awsdns-37.com
textccss-sante-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-920.awsdns-51.net
textccss-sante-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-1790.awsdns-31.co.uk
textccss-sante-lu.com
texthttps://www.circl.lu/pdns/
textNS
textns-1129.awsdns-13.org
textccss-sante-lu.com
texthttps://www.circl.lu/pdns/
textA
text35.180.136.109
textccss-sante-lu.com
textcom
text/index.php
textpublic-ccss
texthttps://www.circl.lu/pdns/
textA
text51.20.69.186
textpublic-ccss.com
textlu
text/index.php
text?success=validatedok
texthelp-luxtrust
text3772453
textabuse@amazonaws.com
textYes
textCCSS
textinfoluxtrust
text/steps/luxtrust/
textluxtrust
textYes
text3801349
textguichet
texthttps://t.ly/ROJIS
text% WHOIS card-order.lu domainname: card-order.lu domaintype: ACTIVE nserver: ns1.eurodns.com nserver: ns2.eurodns.com nserver: ns3.eurodns.com nserver: ns4.eurodns.com ownertype: ORGANISATION registered: 03/05/2024 org-name: ORANGE Lyon org-address: 10 Parc de la Tête d'Or org-zipcode: 69100 org-city: Lyon - 09 org-country: FR adm-name: duval nico adm-address: ORANGE Lyon adm-address: 10 Parc de la Tête d'Or adm-zipcode: 69100 adm-city: Lyon - 09 adm-country: FR adm-email: wailbanaid93500@gmail.com tec-name: Adlani Anouar tec-address: EuroDNS S.A tec-address: 2, rue Leon Laval tec-zipcode: L-3372 tec-city: Leudelange tec-country: LU tec-email: hostmaster@eurodns.com
texthttps://payconiq.direct/index.php
textYes
textYes
textYes
textYes
textYes
textYes
textYes
textYes
textYes

Datetime

ValueDescriptionCopy
datetime2023-12-07T13:42:52+00:00
datetime2023-12-07T13:42:52+00:00
datetime2023-12-15T14:56:56+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T07:22:05+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T06:09:53+00:00
datetime2023-12-19T07:21:13+00:00
datetime2023-12-19T07:21:32+00:00
datetime2023-12-19T07:21:32+00:00
datetime2023-12-04T15:07:11+00:00
datetime2023-12-06T12:43:27+00:00
datetime2023-12-07T09:57:23+00:00
datetime2023-12-11T12:51:55+00:00
datetime2023-12-24T15:17:57+00:00
datetime2023-12-29T12:53:49+00:00
datetime2023-12-24T15:17:57+00:00
datetime2024-01-01T10:11:18+00:00
datetime2023-12-24T15:17:57+00:00
datetime2024-01-01T10:11:18+00:00
datetime2023-12-24T15:17:57+00:00
datetime2024-01-01T10:11:18+00:00
datetime2023-12-24T15:17:57+00:00
datetime2024-01-01T10:11:18+00:00
datetime2024-01-01T10:11:18+00:00
datetime2024-01-01T18:02:49+00:00
datetime2023-12-28T07:20:46+00:00
datetime2023-12-28T07:20:46+00:00
datetime2023-12-24T15:17:57+00:00
datetime2023-12-29T12:53:49+00:00
datetime2024-01-01T06:20:20+00:00
datetime2024-01-01T10:19:23+00:00
datetime2024-01-01T10:11:18+00:00
datetime2024-01-01T18:02:49+00:00
datetime2024-01-02T13:42:31+00:00
datetime2024-01-02T13:42:31+00:00
datetime2024-01-10T14:00:09+00:00
datetime2024-01-10T14:00:09+00:00
datetime2024-01-11T09:15:56+00:00
datetime2024-01-11T09:15:56+00:00
datetime2024-01-09T07:44:24+00:00
datetime2024-01-16T15:18:05+00:00
datetime2024-01-29T08:16:34+00:00
datetime2024-01-29T08:16:34+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-26T22:38:10+00:00
datetime2024-01-27T06:43:33+00:00
datetime2024-01-27T06:43:33+00:00
datetime2024-01-26T21:02:34+00:00
datetime2024-01-29T08:14:18+00:00
datetime2024-02-08T08:49:51+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:55:26+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-08T08:58:25+00:00
datetime2024-02-07T07:43:10+00:00
datetime2024-02-08T09:02:37+00:00
datetime2024-03-07T09:27:05+00:00
datetime2024-03-13T10:22:44+00:00

Port

ValueDescriptionCopy
port443
port443
port443
port443
port443
port443
port443
port443
port443

As

ValueDescriptionCopy
as16509

Threat ID: 68359c9f5d5f0974d01fc2ef

Added to database: 5/27/2025, 11:06:07 AM

Last enriched: 7/5/2025, 10:54:42 PM

Last updated: 8/14/2025, 7:02:16 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats