Phishing targeting Luxembourg services (hosted and served on/from AWS)
A phishing campaign is actively targeting services associated with Luxembourg, leveraging fake websites hosted and served from AWS infrastructure. This threat uses highly convincing psychological techniques to deceive users into divulging sensitive information. Although no specific vulnerable software versions are identified and no patches are available, the attack exploits social engineering rather than technical vulnerabilities. The campaign is categorized under MITRE ATT&CK pattern T1566 and is ongoing with no known exploits in the wild beyond phishing attempts. European organizations, especially those with ties to Luxembourg or using AWS-hosted services, face risks of credential theft and potential subsequent compromise. Mitigation requires targeted user awareness, email filtering, and monitoring of AWS-hosted domains mimicking legitimate Luxembourg services. Luxembourg is the primary affected country, but neighboring countries with close economic or governmental ties may also be at risk. Given the ease of exploitation and potential impact on confidentiality, the threat severity is assessed as medium. Defenders should prioritize detection and user education to reduce the success of these phishing attempts.
AI Analysis
Technical Summary
This threat involves a phishing campaign specifically targeting services related to Luxembourg, with the phishing infrastructure hosted on Amazon Web Services (AWS). The attackers create fake websites that impersonate legitimate Luxembourg services, aiming to trick users into submitting sensitive credentials or other confidential information. The campaign is identified through CIRCL OSINT feeds and is linked to the MITRE ATT&CK technique T1566, which covers phishing attacks. The psychological acceptability of the phishing lure is high, indicating that the fake websites and messages are crafted to appear very convincing and trustworthy to the target audience. No specific software vulnerabilities or affected product versions are noted, as the attack vector relies on social engineering rather than exploiting technical flaws. There are no known exploits in the wild beyond the phishing attempts themselves, and no patches or technical mitigations are available. The hosting on AWS suggests attackers leverage cloud infrastructure to rapidly deploy and rotate phishing sites, complicating takedown efforts. The campaign is ongoing and perpetual, indicating persistent targeting of Luxembourg-related services. Indicators of compromise are not provided, which may hinder automated detection. The threat primarily risks confidentiality breaches through credential theft, which could lead to further network intrusion or fraud if attackers leverage stolen credentials. The medium severity rating reflects the significant impact possible if users are deceived, balanced against the non-technical nature of the attack and the need for user interaction.
Potential Impact
For European organizations, particularly those operating in or with Luxembourg, this phishing campaign poses a tangible risk of credential compromise and unauthorized access. Successful phishing can lead to data breaches, financial fraud, and erosion of trust in digital services. Organizations relying on AWS-hosted services for Luxembourg-related operations may see increased targeting, potentially affecting business continuity and regulatory compliance, especially under GDPR. The psychological sophistication of the phishing attempts increases the likelihood of user deception, which can cascade into broader network compromises if attackers use stolen credentials to move laterally. Public sector entities, financial institutions, and critical infrastructure providers in Luxembourg are especially vulnerable due to the strategic importance of their services. Neighboring countries with close economic or governmental ties to Luxembourg may also experience spillover effects, including phishing attempts mimicking Luxembourg services to target cross-border operations. The lack of technical vulnerabilities means traditional patching is ineffective, placing greater emphasis on user vigilance and detection capabilities. Overall, the campaign threatens confidentiality and integrity, with potential downstream impacts on availability if attackers leverage access for ransomware or disruptive activities.
Mitigation Recommendations
To mitigate this phishing threat, European organizations should implement multi-layered defenses focused on detection, prevention, and user education. Deploy advanced email filtering solutions capable of identifying and quarantining phishing emails, including those with links to AWS-hosted fake websites. Utilize domain monitoring services to detect and take down fraudulent domains impersonating Luxembourg services, collaborating with AWS abuse teams for rapid response. Conduct targeted phishing awareness training emphasizing recognition of sophisticated social engineering tactics and the risks of interacting with unsolicited links or requests for credentials. Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential compromise. Implement robust incident response procedures to quickly isolate and remediate accounts suspected of being phished. Leverage threat intelligence feeds, such as CIRCL OSINT, to stay informed about emerging phishing campaigns and indicators. Regularly review and update security policies to address cloud-hosted phishing infrastructure challenges. For organizations with Luxembourg operations, consider additional verification steps for sensitive transactions or access requests. Finally, encourage reporting of suspected phishing attempts to improve organizational and community-wide defenses.
Affected Countries
Luxembourg, Belgium, France, Germany, Netherlands
Indicators of Compromise
- ip: 18.117.184.102
- domain: ccss-public.com
- domain: cns-lu.com
- domain: luxtrust.support
- domain: luxtrust.help
- domain: www-cns-lu.com
- ip: 54.93.211.218
- ip: 35.177.103.239
- ip: 3.71.1.255
- domain: www-cns.com
- domain: luxtrust-cancel.com
- domain: luxtrust-unlock.com
- domain: ccss-sante-lu.com
- url: https://public-ccss.com/index.php
- ip: 51.20.69.186
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-07T13:42:52+00:00
- text: A
- text: 18.117.184.102
- text: luxtrust.help
- datetime: 2023-12-07T13:42:52+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-15T14:56:56+00:00
- text: A
- text: 18.117.184.102
- text: luxtrust.support
- datetime: 2023-12-19T07:22:05+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T07:22:05+00:00
- text: NS
- text: ns-137.awsdns-17.com
- text: luxtrust.support
- datetime: 2023-12-19T07:22:05+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T07:22:05+00:00
- text: NS
- text: ns-1028.awsdns-00.org
- text: luxtrust.support
- datetime: 2023-12-19T07:22:05+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T07:22:05+00:00
- text: NS
- text: ns-1684.awsdns-18.co.uk
- text: luxtrust.support
- datetime: 2023-12-19T07:22:05+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T07:22:05+00:00
- text: NS
- text: ns-566.awsdns-06.net
- text: luxtrust.support
- datetime: 2023-12-19T07:22:05+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T07:22:05+00:00
- text: SOA
- text: ns-566.awsdns-06.net awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
- text: luxtrust.support
- datetime: 2023-12-19T07:22:05+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T06:09:53+00:00
- text: NS
- text: ns-417.awsdns-52.com
- text: cns-lu.com
- datetime: 2023-12-19T06:09:53+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T06:09:53+00:00
- text: NS
- text: ns-1004.awsdns-61.net
- text: cns-lu.com
- datetime: 2023-12-19T06:09:53+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T06:09:53+00:00
- text: NS
- text: ns-1064.awsdns-05.org
- text: cns-lu.com
- datetime: 2023-12-19T06:09:53+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T06:09:53+00:00
- text: NS
- text: ns-1932.awsdns-49.co.uk
- text: cns-lu.com
- datetime: 2023-12-19T06:09:53+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T06:09:53+00:00
- text: A
- text: 18.117.184.102
- text: cns-lu.com
- datetime: 2023-12-19T07:21:13+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-19T07:21:32+00:00
- text: SOA
- text: ns-1064.awsdns-05.org awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
- text: cns-lu.com
- datetime: 2023-12-19T07:21:32+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-04T15:07:11+00:00
- text: A
- text: 54.211.144.11
- text: ccss-public.com
- datetime: 2023-12-06T12:43:27+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-07T09:57:23+00:00
- text: A
- text: 18.117.184.102
- text: ccss-public.com
- datetime: 2023-12-11T12:51:55+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-24T15:17:57+00:00
- text: A
- text: 54.93.211.218
- text: www-cns-lu.com
- datetime: 2023-12-29T12:53:49+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-24T15:17:57+00:00
- text: NS
- text: ns-1809.awsdns-34.co.uk
- text: www-cns-lu.com
- datetime: 2024-01-01T10:11:18+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-24T15:17:57+00:00
- text: NS
- text: ns-800.awsdns-36.net
- text: www-cns-lu.com
- datetime: 2024-01-01T10:11:18+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-24T15:17:57+00:00
- text: NS
- text: ns-1377.awsdns-44.org
- text: www-cns-lu.com
- datetime: 2024-01-01T10:11:18+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-24T15:17:57+00:00
- text: NS
- text: ns-185.awsdns-23.com
- text: www-cns-lu.com
- datetime: 2024-01-01T10:11:18+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-01T10:11:18+00:00
- text: A
- text: 35.177.103.239
- text: www-cns-lu.com
- datetime: 2024-01-01T18:02:49+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-28T07:20:46+00:00
- text: A
- text: 54.93.211.218
- text: luxtrust.co
- datetime: 2023-12-28T07:20:46+00:00
- counter: 6
- text: https://www.circl.lu/pdns/
- datetime: 2023-12-24T15:17:57+00:00
- text: A
- text: 54.93.211.218
- text: www-cns-lu.com
- datetime: 2023-12-29T12:53:49+00:00
- counter: 2
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-01T06:20:20+00:00
- text: A
- text: 35.177.103.239
- text: tango-lu.com
- datetime: 2024-01-01T10:19:23+00:00
- counter: 5
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-01T10:11:18+00:00
- text: A
- text: 35.177.103.239
- text: www-cns-lu.com
- datetime: 2024-01-01T18:02:49+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-02T13:42:31+00:00
- text: A
- text: 35.177.103.239
- text: luxtrust.co
- datetime: 2024-01-02T13:42:31+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-10T14:00:09+00:00
- text: A
- text: 3.71.1.255
- text: cns-public.eu
- datetime: 2024-01-10T14:00:09+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-11T09:15:56+00:00
- text: A
- text: 3.71.1.255
- text: ccss-lu.eu
- datetime: 2024-01-11T09:15:56+00:00
- counter: 3
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-09T07:44:24+00:00
- text: A
- text: 3.71.1.255
- text: www-cns-lu.com
- datetime: 2024-01-16T15:18:05+00:00
- domain: ccss.support
- domain: cfl-lu.com
- port: 443
- domain: ccss.support
- domain: cfl-lu.com
- domain: 3-71-1-255.plesk.page
- domain: quizzical-feistel.3-71-1-255.plesk.page
- domain: ec2-3-71-1-255.eu-central-1.compute.amazonaws.com
- ip: 3.71.1.255
- ip: 3.71.1.255
- as: 16509
- text: HTTPS
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-29T08:16:34+00:00
- text: A
- text: 13.48.203.238
- text: luxtrust-cancel.com
- datetime: 2024-01-29T08:16:34+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-26T22:38:10+00:00
- text: NS
- text: ns-1194.awsdns-21.org
- text: www-cns.com
- datetime: 2024-01-26T22:38:10+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-26T22:38:10+00:00
- text: NS
- text: ns-1016.awsdns-63.net
- text: www-cns.com
- datetime: 2024-01-26T22:38:10+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-26T22:38:10+00:00
- text: NS
- text: ns-356.awsdns-44.com
- text: www-cns.com
- datetime: 2024-01-26T22:38:10+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-26T22:38:10+00:00
- text: NS
- text: ns-2013.awsdns-59.co.uk
- text: www-cns.com
- datetime: 2024-01-26T22:38:10+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-27T06:43:33+00:00
- text: SOA
- text: ns-356.awsdns-44.com awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
- text: www-cns.com
- datetime: 2024-01-27T06:43:33+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-01-26T21:02:34+00:00
- text: A
- text: 13.48.203.238
- text: www-cns.com
- datetime: 2024-01-29T08:14:18+00:00
- domain: sante-lu.com
- domain: 13.48.203.238
- text: 3705060
- url: https://sante-lu.com/index.php
- url: https://sante-lu.com/
- text: Yes
- text: CCSS
- domain: luxtrust-help.com
- domain: luxtrust-help.com
- ip: 54.170.251.238
- port: 443
- text: Amazon Technologies Inc.
- counter: 2
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:49:51+00:00
- text: A
- text: 35.180.136.109
- text: luxtrust-unlock.com
- datetime: 2024-02-08T08:55:26+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:55:26+00:00
- text: NS
- text: ns-1769.awsdns-29.co.uk
- text: luxtrust-unlock.com
- datetime: 2024-02-08T08:55:26+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:55:26+00:00
- text: NS
- text: ns-668.awsdns-19.net
- text: luxtrust-unlock.com
- datetime: 2024-02-08T08:55:26+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:55:26+00:00
- text: NS
- text: ns-1148.awsdns-15.org
- text: luxtrust-unlock.com
- datetime: 2024-02-08T08:55:26+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:55:26+00:00
- text: NS
- text: ns-508.awsdns-63.com
- text: luxtrust-unlock.com
- datetime: 2024-02-08T08:55:26+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:55:26+00:00
- text: SOA
- text: ns-1769.awsdns-29.co.uk awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
- text: luxtrust-unlock.com
- datetime: 2024-02-08T08:55:26+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:58:25+00:00
- text: NS
- text: ns-296.awsdns-37.com
- text: ccss-sante-lu.com
- datetime: 2024-02-08T08:58:25+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:58:25+00:00
- text: NS
- text: ns-920.awsdns-51.net
- text: ccss-sante-lu.com
- datetime: 2024-02-08T08:58:25+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:58:25+00:00
- text: NS
- text: ns-1790.awsdns-31.co.uk
- text: ccss-sante-lu.com
- datetime: 2024-02-08T08:58:25+00:00
- counter: 1
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-08T08:58:25+00:00
- text: NS
- text: ns-1129.awsdns-13.org
- text: ccss-sante-lu.com
- datetime: 2024-02-08T08:58:25+00:00
- counter: 3
- text: https://www.circl.lu/pdns/
- datetime: 2024-02-07T07:43:10+00:00
- text: A
- text: 35.180.136.109
- text: ccss-sante-lu.com
- datetime: 2024-02-08T09:02:37+00:00
- url: https://public-ccss.com/index.php
- text: com
- text: /index.php
- domain: public-ccss.com
- text: public-ccss
- domain: public-ccss.com
- counter: 6
- text: https://www.circl.lu/pdns/
- datetime: 2024-03-07T09:27:05+00:00
- text: A
- text: 51.20.69.186
- text: public-ccss.com
- datetime: 2024-03-13T10:22:44+00:00
- url: https://help-luxtrust.lu/index.php?success=validatedok
- text: lu
- text: /index.php
- text: ?success=validatedok
- domain: help-luxtrust.lu
- text: help-luxtrust
- domain: help-luxtrust.lu
- domain: 3.82.24.34
- text: 3772453
- text: abuse@amazonaws.com
- url: https://carte-sante-lu.com/index.php?success=validatedok
- url: https://cns-order.com/
- text: Yes
- text: CCSS
- url: https://infoluxtrust.com/steps/luxtrust/
- domain: infoluxtrust.com
- text: infoluxtrust
- ip: 3.79.236.229
- port: 443
- text: /steps/luxtrust/
- url: https://luxtrust.help/
- domain: luxtrust.help
- text: luxtrust
- ip: 52.59.212.17
- port: 443
- domain: 3.82.24.34
- url: https://ccss.digital/
- url: https://etat-public.lu
- text: Yes
- domain: 3.82.24.34
- text: 3801349
- url: https://public-order.lu/
- url: https://c0nbrjdy.r.us-east-1.awstrack.me/L0/https:%2F%2Fpublic-order.lu/1/0100018ef98d16dd-9631e726-429b-4ad6-90a9-e25371506197-000000/7x9NDhmFipPjGlHSTAfnvM2JBjw=370
- url: https://order-public.com/
- domain: order-public.com
- ip: 16.171.58.164
- port: 443
- url: https://support-luxtrust.com/
- domain: support-luxtrust.com
- ip: 52.58.64.31
- port: 443
- url: https://guichet.me/login_up.php
- domain: guichet.me
- text: guichet
- ip: 44.200.31.79
- port: 443
- text: https://t.ly/ROJIS
- domain: cfl-lu.com
- domain: cfl-lu.com
- ip: 3.71.1.255
- port: 443
- domain: card-order.lu
- domain: card-order.lu
- ip: 44.200.31.79
- port: 443
- text: % WHOIS card-order.lu domainname: card-order.lu domaintype: ACTIVE nserver: ns1.eurodns.com nserver: ns2.eurodns.com nserver: ns3.eurodns.com nserver: ns4.eurodns.com ownertype: ORGANISATION registered: 03/05/2024 org-name: ORANGE Lyon org-address: 10 Parc de la Tête d'Or org-zipcode: 69100 org-city: Lyon - 09 org-country: FR adm-name: duval nico adm-address: ORANGE Lyon adm-address: 10 Parc de la Tête d'Or adm-zipcode: 69100 adm-city: Lyon - 09 adm-country: FR adm-email: wailbanaid93500@gmail.com tec-name: Adlani Anouar tec-address: EuroDNS S.A tec-address: 2, rue Leon Laval tec-zipcode: L-3372 tec-city: Leudelange tec-country: LU tec-email: hostmaster@eurodns.com
- domain: payconiq.direct
- domain: payconiq.direct
- ip: 54.155.71.44
- text: https://payconiq.direct/index.php
- domain: payconiq.tel
- domain: 18.197.141.155
- url: https://support-luxtrust.lu/
- text: Yes
- domain: payconiq.support
- ip: 18.197.141.155
- url: payconiq.support
- text: Yes
- text: Yes
- domain: app-luxtrust.com
- ip: 3.64.63.56
- url: https://app-luxtrust.com/LUXTRUST/
- text: Yes
- domain: payconiq-blocage.com
- ip: 50.112.61.79
- url: http://payconiq-blocage.com/
- text: Yes
- domain: payconiq-suspension.net
- domain: update-lu.com
- ip: 13.60.60.38
- url: http://update-lu.com
- text: Yes
- domain: luxtrust-support.com
- ip: 13.60.60.3
- url: https://luxtrust-support.com/Luxtrust/
- text: Yes
- domain: luxtrust-support.com
- ip: 3.79.3.191
- url: https://luxtrust-support.com/Luxtrust/
- text: Yes
- text: Yes
Phishing targeting Luxembourg services (hosted and served on/from AWS)
Description
A phishing campaign is actively targeting services associated with Luxembourg, leveraging fake websites hosted and served from AWS infrastructure. This threat uses highly convincing psychological techniques to deceive users into divulging sensitive information. Although no specific vulnerable software versions are identified and no patches are available, the attack exploits social engineering rather than technical vulnerabilities. The campaign is categorized under MITRE ATT&CK pattern T1566 and is ongoing with no known exploits in the wild beyond phishing attempts. European organizations, especially those with ties to Luxembourg or using AWS-hosted services, face risks of credential theft and potential subsequent compromise. Mitigation requires targeted user awareness, email filtering, and monitoring of AWS-hosted domains mimicking legitimate Luxembourg services. Luxembourg is the primary affected country, but neighboring countries with close economic or governmental ties may also be at risk. Given the ease of exploitation and potential impact on confidentiality, the threat severity is assessed as medium. Defenders should prioritize detection and user education to reduce the success of these phishing attempts.
AI-Powered Analysis
Technical Analysis
This threat involves a phishing campaign specifically targeting services related to Luxembourg, with the phishing infrastructure hosted on Amazon Web Services (AWS). The attackers create fake websites that impersonate legitimate Luxembourg services, aiming to trick users into submitting sensitive credentials or other confidential information. The campaign is identified through CIRCL OSINT feeds and is linked to the MITRE ATT&CK technique T1566, which covers phishing attacks. The psychological acceptability of the phishing lure is high, indicating that the fake websites and messages are crafted to appear very convincing and trustworthy to the target audience. No specific software vulnerabilities or affected product versions are noted, as the attack vector relies on social engineering rather than exploiting technical flaws. There are no known exploits in the wild beyond the phishing attempts themselves, and no patches or technical mitigations are available. The hosting on AWS suggests attackers leverage cloud infrastructure to rapidly deploy and rotate phishing sites, complicating takedown efforts. The campaign is ongoing and perpetual, indicating persistent targeting of Luxembourg-related services. Indicators of compromise are not provided, which may hinder automated detection. The threat primarily risks confidentiality breaches through credential theft, which could lead to further network intrusion or fraud if attackers leverage stolen credentials. The medium severity rating reflects the significant impact possible if users are deceived, balanced against the non-technical nature of the attack and the need for user interaction.
Potential Impact
For European organizations, particularly those operating in or with Luxembourg, this phishing campaign poses a tangible risk of credential compromise and unauthorized access. Successful phishing can lead to data breaches, financial fraud, and erosion of trust in digital services. Organizations relying on AWS-hosted services for Luxembourg-related operations may see increased targeting, potentially affecting business continuity and regulatory compliance, especially under GDPR. The psychological sophistication of the phishing attempts increases the likelihood of user deception, which can cascade into broader network compromises if attackers use stolen credentials to move laterally. Public sector entities, financial institutions, and critical infrastructure providers in Luxembourg are especially vulnerable due to the strategic importance of their services. Neighboring countries with close economic or governmental ties to Luxembourg may also experience spillover effects, including phishing attempts mimicking Luxembourg services to target cross-border operations. The lack of technical vulnerabilities means traditional patching is ineffective, placing greater emphasis on user vigilance and detection capabilities. Overall, the campaign threatens confidentiality and integrity, with potential downstream impacts on availability if attackers leverage access for ransomware or disruptive activities.
Mitigation Recommendations
To mitigate this phishing threat, European organizations should implement multi-layered defenses focused on detection, prevention, and user education. Deploy advanced email filtering solutions capable of identifying and quarantining phishing emails, including those with links to AWS-hosted fake websites. Utilize domain monitoring services to detect and take down fraudulent domains impersonating Luxembourg services, collaborating with AWS abuse teams for rapid response. Conduct targeted phishing awareness training emphasizing recognition of sophisticated social engineering tactics and the risks of interacting with unsolicited links or requests for credentials. Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential compromise. Implement robust incident response procedures to quickly isolate and remediate accounts suspected of being phished. Leverage threat intelligence feeds, such as CIRCL OSINT, to stay informed about emerging phishing campaigns and indicators. Regularly review and update security policies to address cloud-hosted phishing infrastructure challenges. For organizations with Luxembourg operations, consider additional verification steps for sensitive transactions or access requests. Finally, encourage reporting of suspected phishing attempts to improve organizational and community-wide defenses.
Affected Countries
Technical Details
- Uuid
- f3290493-8f74-4220-aa04-b83408e37a0c
- Original Timestamp
- 1721049635
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip18.117.184.102 | — | |
ip54.93.211.218 | — | |
ip35.177.103.239 | — | |
ip3.71.1.255 | — | |
ip51.20.69.186 | — | |
ip3.71.1.255 | — | |
ip3.71.1.255 | — | |
ip54.170.251.238 | — | |
ip3.79.236.229 | — | |
ip52.59.212.17 | — | |
ip16.171.58.164 | — | |
ip52.58.64.31 | — | |
ip44.200.31.79 | — | |
ip3.71.1.255 | — | |
ip44.200.31.79 | — | |
ip54.155.71.44 | — | |
ip18.197.141.155 | — | |
ip3.64.63.56 | — | |
ip50.112.61.79 | — | |
ip13.60.60.38 | — | |
ip13.60.60.3 | — | |
ip3.79.3.191 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainccss-public.com | — | |
domaincns-lu.com | — | |
domainluxtrust.support | — | |
domainluxtrust.help | — | |
domainwww-cns-lu.com | — | |
domainwww-cns.com | — | |
domainluxtrust-cancel.com | — | |
domainluxtrust-unlock.com | — | |
domainccss-sante-lu.com | — | |
domainccss.support | — | |
domaincfl-lu.com | — | |
domainccss.support | — | |
domaincfl-lu.com | — | |
domain3-71-1-255.plesk.page | — | |
domainquizzical-feistel.3-71-1-255.plesk.page | — | |
domainec2-3-71-1-255.eu-central-1.compute.amazonaws.com | — | |
domainsante-lu.com | — | |
domain13.48.203.238 | — | |
domainluxtrust-help.com | — | |
domainluxtrust-help.com | — | |
domainpublic-ccss.com | — | |
domainpublic-ccss.com | — | |
domainhelp-luxtrust.lu | — | |
domainhelp-luxtrust.lu | — | |
domain3.82.24.34 | — | |
domaininfoluxtrust.com | — | |
domainluxtrust.help | — | |
domain3.82.24.34 | — | |
domain3.82.24.34 | — | |
domainorder-public.com | — | |
domainsupport-luxtrust.com | — | |
domainguichet.me | — | |
domaincfl-lu.com | — | |
domaincfl-lu.com | — | |
domaincard-order.lu | — | |
domaincard-order.lu | — | |
domainpayconiq.direct | — | |
domainpayconiq.direct | — | |
domainpayconiq.tel | — | |
domain18.197.141.155 | — | |
domainpayconiq.support | — | |
domainapp-luxtrust.com | — | |
domainpayconiq-blocage.com | — | |
domainpayconiq-suspension.net | — | |
domainupdate-lu.com | — | |
domainluxtrust-support.com | — | |
domainluxtrust-support.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://public-ccss.com/index.php | — | |
urlhttps://sante-lu.com/index.php | — | |
urlhttps://sante-lu.com/ | — | |
urlhttps://public-ccss.com/index.php | — | |
urlhttps://help-luxtrust.lu/index.php?success=validatedok | — | |
urlhttps://carte-sante-lu.com/index.php?success=validatedok | — | |
urlhttps://cns-order.com/ | — | |
urlhttps://infoluxtrust.com/steps/luxtrust/ | — | |
urlhttps://luxtrust.help/ | — | |
urlhttps://ccss.digital/ | — | |
urlhttps://etat-public.lu | — | |
urlhttps://public-order.lu/ | — | |
urlhttps://c0nbrjdy.r.us-east-1.awstrack.me/L0/https:%2F%2Fpublic-order.lu/1/0100018ef98d16dd-9631e726-429b-4ad6-90a9-e25371506197-000000/7x9NDhmFipPjGlHSTAfnvM2JBjw=370 | — | |
urlhttps://order-public.com/ | — | |
urlhttps://support-luxtrust.com/ | — | |
urlhttps://guichet.me/login_up.php | — | |
urlhttps://support-luxtrust.lu/ | — | |
urlpayconiq.support | — | |
urlhttps://app-luxtrust.com/LUXTRUST/ | — | |
urlhttp://payconiq-blocage.com/ | — | |
urlhttp://update-lu.com | — | |
urlhttps://luxtrust-support.com/Luxtrust/ | — | |
urlhttps://luxtrust-support.com/Luxtrust/ | — |
Counter
| Value | Description | Copy |
|---|---|---|
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter6 | — | |
counter2 | — | |
counter5 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter3 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter2 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter1 | — | |
counter3 | — | |
counter6 | — |
Text
| Value | Description | Copy |
|---|---|---|
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text18.117.184.102 | — | |
textluxtrust.help | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text18.117.184.102 | — | |
textluxtrust.support | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-137.awsdns-17.com | — | |
textluxtrust.support | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1028.awsdns-00.org | — | |
textluxtrust.support | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1684.awsdns-18.co.uk | — | |
textluxtrust.support | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-566.awsdns-06.net | — | |
textluxtrust.support | — | |
texthttps://www.circl.lu/pdns/ | — | |
textSOA | — | |
textns-566.awsdns-06.net awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400 | — | |
textluxtrust.support | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-417.awsdns-52.com | — | |
textcns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1004.awsdns-61.net | — | |
textcns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1064.awsdns-05.org | — | |
textcns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1932.awsdns-49.co.uk | — | |
textcns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text18.117.184.102 | — | |
textcns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textSOA | — | |
textns-1064.awsdns-05.org awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400 | — | |
textcns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text54.211.144.11 | — | |
textccss-public.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text18.117.184.102 | — | |
textccss-public.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text54.93.211.218 | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1809.awsdns-34.co.uk | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-800.awsdns-36.net | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1377.awsdns-44.org | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-185.awsdns-23.com | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text35.177.103.239 | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text54.93.211.218 | — | |
textluxtrust.co | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text54.93.211.218 | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text35.177.103.239 | — | |
texttango-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text35.177.103.239 | — | |
textwww-cns-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text35.177.103.239 | — | |
textluxtrust.co | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text3.71.1.255 | — | |
textcns-public.eu | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text3.71.1.255 | — | |
textccss-lu.eu | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text3.71.1.255 | — | |
textwww-cns-lu.com | — | |
textHTTPS | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text13.48.203.238 | — | |
textluxtrust-cancel.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1194.awsdns-21.org | — | |
textwww-cns.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1016.awsdns-63.net | — | |
textwww-cns.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-356.awsdns-44.com | — | |
textwww-cns.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-2013.awsdns-59.co.uk | — | |
textwww-cns.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textSOA | — | |
textns-356.awsdns-44.com awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400 | — | |
textwww-cns.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text13.48.203.238 | — | |
textwww-cns.com | — | |
text3705060 | — | |
textYes | — | |
textCCSS | — | |
textAmazon Technologies Inc. | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text35.180.136.109 | — | |
textluxtrust-unlock.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1769.awsdns-29.co.uk | — | |
textluxtrust-unlock.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-668.awsdns-19.net | — | |
textluxtrust-unlock.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1148.awsdns-15.org | — | |
textluxtrust-unlock.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-508.awsdns-63.com | — | |
textluxtrust-unlock.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textSOA | — | |
textns-1769.awsdns-29.co.uk awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400 | — | |
textluxtrust-unlock.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-296.awsdns-37.com | — | |
textccss-sante-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-920.awsdns-51.net | — | |
textccss-sante-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1790.awsdns-31.co.uk | — | |
textccss-sante-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textNS | — | |
textns-1129.awsdns-13.org | — | |
textccss-sante-lu.com | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text35.180.136.109 | — | |
textccss-sante-lu.com | — | |
textcom | — | |
text/index.php | — | |
textpublic-ccss | — | |
texthttps://www.circl.lu/pdns/ | — | |
textA | — | |
text51.20.69.186 | — | |
textpublic-ccss.com | — | |
textlu | — | |
text/index.php | — | |
text?success=validatedok | — | |
texthelp-luxtrust | — | |
text3772453 | — | |
textabuse@amazonaws.com | — | |
textYes | — | |
textCCSS | — | |
textinfoluxtrust | — | |
text/steps/luxtrust/ | — | |
textluxtrust | — | |
textYes | — | |
text3801349 | — | |
textguichet | — | |
texthttps://t.ly/ROJIS | — | |
text% WHOIS card-order.lu
domainname: card-order.lu
domaintype: ACTIVE
nserver: ns1.eurodns.com
nserver: ns2.eurodns.com
nserver: ns3.eurodns.com
nserver: ns4.eurodns.com
ownertype: ORGANISATION
registered: 03/05/2024
org-name: ORANGE Lyon
org-address: 10 Parc de la Tête d'Or
org-zipcode: 69100
org-city: Lyon - 09
org-country: FR
adm-name: duval nico
adm-address: ORANGE Lyon
adm-address: 10 Parc de la Tête d'Or
adm-zipcode: 69100
adm-city: Lyon - 09
adm-country: FR
adm-email: wailbanaid93500@gmail.com
tec-name: Adlani Anouar
tec-address: EuroDNS S.A
tec-address: 2, rue Leon Laval
tec-zipcode: L-3372
tec-city: Leudelange
tec-country: LU
tec-email: hostmaster@eurodns.com | — | |
texthttps://payconiq.direct/index.php | — | |
textYes | — | |
textYes | — | |
textYes | — | |
textYes | — | |
textYes | — | |
textYes | — | |
textYes | — | |
textYes | — | |
textYes | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2023-12-07T13:42:52+00:00 | — | |
datetime2023-12-07T13:42:52+00:00 | — | |
datetime2023-12-15T14:56:56+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T07:22:05+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T06:09:53+00:00 | — | |
datetime2023-12-19T07:21:13+00:00 | — | |
datetime2023-12-19T07:21:32+00:00 | — | |
datetime2023-12-19T07:21:32+00:00 | — | |
datetime2023-12-04T15:07:11+00:00 | — | |
datetime2023-12-06T12:43:27+00:00 | — | |
datetime2023-12-07T09:57:23+00:00 | — | |
datetime2023-12-11T12:51:55+00:00 | — | |
datetime2023-12-24T15:17:57+00:00 | — | |
datetime2023-12-29T12:53:49+00:00 | — | |
datetime2023-12-24T15:17:57+00:00 | — | |
datetime2024-01-01T10:11:18+00:00 | — | |
datetime2023-12-24T15:17:57+00:00 | — | |
datetime2024-01-01T10:11:18+00:00 | — | |
datetime2023-12-24T15:17:57+00:00 | — | |
datetime2024-01-01T10:11:18+00:00 | — | |
datetime2023-12-24T15:17:57+00:00 | — | |
datetime2024-01-01T10:11:18+00:00 | — | |
datetime2024-01-01T10:11:18+00:00 | — | |
datetime2024-01-01T18:02:49+00:00 | — | |
datetime2023-12-28T07:20:46+00:00 | — | |
datetime2023-12-28T07:20:46+00:00 | — | |
datetime2023-12-24T15:17:57+00:00 | — | |
datetime2023-12-29T12:53:49+00:00 | — | |
datetime2024-01-01T06:20:20+00:00 | — | |
datetime2024-01-01T10:19:23+00:00 | — | |
datetime2024-01-01T10:11:18+00:00 | — | |
datetime2024-01-01T18:02:49+00:00 | — | |
datetime2024-01-02T13:42:31+00:00 | — | |
datetime2024-01-02T13:42:31+00:00 | — | |
datetime2024-01-10T14:00:09+00:00 | — | |
datetime2024-01-10T14:00:09+00:00 | — | |
datetime2024-01-11T09:15:56+00:00 | — | |
datetime2024-01-11T09:15:56+00:00 | — | |
datetime2024-01-09T07:44:24+00:00 | — | |
datetime2024-01-16T15:18:05+00:00 | — | |
datetime2024-01-29T08:16:34+00:00 | — | |
datetime2024-01-29T08:16:34+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-26T22:38:10+00:00 | — | |
datetime2024-01-27T06:43:33+00:00 | — | |
datetime2024-01-27T06:43:33+00:00 | — | |
datetime2024-01-26T21:02:34+00:00 | — | |
datetime2024-01-29T08:14:18+00:00 | — | |
datetime2024-02-08T08:49:51+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:55:26+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-08T08:58:25+00:00 | — | |
datetime2024-02-07T07:43:10+00:00 | — | |
datetime2024-02-08T09:02:37+00:00 | — | |
datetime2024-03-07T09:27:05+00:00 | — | |
datetime2024-03-13T10:22:44+00:00 | — |
Port
| Value | Description | Copy |
|---|---|---|
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — |
As
| Value | Description | Copy |
|---|---|---|
as16509 | — |
Threat ID: 68359c9f5d5f0974d01fc2ef
Added to database: 5/27/2025, 11:06:07 AM
Last enriched: 12/24/2025, 6:13:45 AM
Last updated: 1/19/2026, 9:57:49 AM
Views: 51
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.