Skip to main content

Phishing targeting Luxembourg services (hosted and served on/from AWS)

Medium
Published: Tue Dec 19 2023 (12/19/2023, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: tlp
Product: clear

Description

Phishing targeting Luxembourg services (hosted and served on/from AWS)

AI-Powered Analysis

AILast updated: 07/05/2025, 22:54:42 UTC

Technical Analysis

This threat involves a phishing campaign specifically targeting services related to Luxembourg, with the phishing infrastructure hosted and served from Amazon Web Services (AWS). The attack technique employed is a classic phishing method (MITRE ATT&CK T1566), where attackers create fake websites designed to impersonate legitimate Luxembourg-based services. These fake websites aim to deceive users into divulging sensitive information such as login credentials, personal data, or financial details. The psychological acceptability of the phishing attempt is rated high, indicating that the phishing pages are crafted to appear highly credible and trustworthy, increasing the likelihood of user interaction and successful credential harvesting. The campaign leverages the cloud infrastructure of AWS, which can provide attackers with scalable and resilient hosting, making takedown efforts more challenging. Although no specific affected software versions or patches are identified, the threat remains persistent and perpetual, as indicated by the OSINT lifetime tag. No known exploits in the wild have been reported, but the medium severity rating reflects the potential risk posed by successful phishing attempts, which can lead to unauthorized access, data breaches, and subsequent lateral movement within targeted organizations.

Potential Impact

For European organizations, especially those operating in or with Luxembourg, this phishing threat poses significant risks. Successful phishing can lead to credential compromise, unauthorized access to sensitive systems, and potential data breaches affecting confidentiality and integrity. Luxembourg is a key financial and administrative hub in Europe, so organizations there often handle sensitive financial data, personal information, and critical infrastructure services. A successful phishing attack could disrupt business operations, damage reputations, and lead to regulatory penalties under GDPR due to data exposure. Additionally, compromised credentials could be used to pivot into other European networks, amplifying the impact beyond Luxembourg. The use of AWS hosting complicates incident response and takedown efforts, potentially prolonging exposure and increasing the window of opportunity for attackers.

Mitigation Recommendations

To mitigate this threat, European organizations should implement targeted anti-phishing measures beyond generic advice. These include deploying advanced email filtering solutions that leverage machine learning to detect and block phishing emails targeting Luxembourg services. Organizations should conduct regular, realistic phishing simulation exercises tailored to the threat landscape of Luxembourg-based services to raise user awareness and resilience. Implementing multi-factor authentication (MFA) is critical to reduce the impact of credential compromise. Monitoring for domain registrations and hosting activity on AWS that mimic legitimate Luxembourg services can help identify phishing infrastructure early. Collaboration with AWS abuse teams to report and expedite takedown of malicious hosting is essential. Additionally, organizations should enhance endpoint detection and response (EDR) capabilities to identify suspicious activity resulting from successful phishing. Finally, maintaining up-to-date threat intelligence feeds focused on phishing campaigns targeting Luxembourg will help in proactive defense.

Need more detailed analysis?Get Pro

Technical Details

Uuid
f3290493-8f74-4220-aa04-b83408e37a0c
Original Timestamp
1721049635

Indicators of Compromise

Ip

ValueDescriptionCopy
ip18.117.184.102
—
ip54.93.211.218
—
ip35.177.103.239
—
ip3.71.1.255
—
ip51.20.69.186
—
ip3.71.1.255
—
ip3.71.1.255
—
ip54.170.251.238
—
ip3.79.236.229
—
ip52.59.212.17
—
ip16.171.58.164
—
ip52.58.64.31
—
ip44.200.31.79
—
ip3.71.1.255
—
ip44.200.31.79
—
ip54.155.71.44
—
ip18.197.141.155
—
ip3.64.63.56
—
ip50.112.61.79
—
ip13.60.60.38
—
ip13.60.60.3
—
ip3.79.3.191
—

Domain

ValueDescriptionCopy
domainccss-public.com
—
domaincns-lu.com
—
domainluxtrust.support
—
domainluxtrust.help
—
domainwww-cns-lu.com
—
domainwww-cns.com
—
domainluxtrust-cancel.com
—
domainluxtrust-unlock.com
—
domainccss-sante-lu.com
—
domainccss.support
—
domaincfl-lu.com
—
domainccss.support
—
domaincfl-lu.com
—
domain3-71-1-255.plesk.page
—
domainquizzical-feistel.3-71-1-255.plesk.page
—
domainec2-3-71-1-255.eu-central-1.compute.amazonaws.com
—
domainsante-lu.com
—
domain13.48.203.238
—
domainluxtrust-help.com
—
domainluxtrust-help.com
—
domainpublic-ccss.com
—
domainpublic-ccss.com
—
domainhelp-luxtrust.lu
—
domainhelp-luxtrust.lu
—
domain3.82.24.34
—
domaininfoluxtrust.com
—
domainluxtrust.help
—
domain3.82.24.34
—
domain3.82.24.34
—
domainorder-public.com
—
domainsupport-luxtrust.com
—
domainguichet.me
—
domaincfl-lu.com
—
domaincfl-lu.com
—
domaincard-order.lu
—
domaincard-order.lu
—
domainpayconiq.direct
—
domainpayconiq.direct
—
domainpayconiq.tel
—
domain18.197.141.155
—
domainpayconiq.support
—
domainapp-luxtrust.com
—
domainpayconiq-blocage.com
—
domainpayconiq-suspension.net
—
domainupdate-lu.com
—
domainluxtrust-support.com
—
domainluxtrust-support.com
—

Url

ValueDescriptionCopy
urlhttps://public-ccss.com/index.php
—
urlhttps://sante-lu.com/index.php
—
urlhttps://sante-lu.com/
—
urlhttps://public-ccss.com/index.php
—
urlhttps://help-luxtrust.lu/index.php?success=validatedok
—
urlhttps://carte-sante-lu.com/index.php?success=validatedok
—
urlhttps://cns-order.com/
—
urlhttps://infoluxtrust.com/steps/luxtrust/
—
urlhttps://luxtrust.help/
—
urlhttps://ccss.digital/
—
urlhttps://etat-public.lu
—
urlhttps://public-order.lu/
—
urlhttps://c0nbrjdy.r.us-east-1.awstrack.me/L0/https:%2F%2Fpublic-order.lu/1/0100018ef98d16dd-9631e726-429b-4ad6-90a9-e25371506197-000000/7x9NDhmFipPjGlHSTAfnvM2JBjw=370
—
urlhttps://order-public.com/
—
urlhttps://support-luxtrust.com/
—
urlhttps://guichet.me/login_up.php
—
urlhttps://support-luxtrust.lu/
—
urlpayconiq.support
—
urlhttps://app-luxtrust.com/LUXTRUST/
—
urlhttp://payconiq-blocage.com/
—
urlhttp://update-lu.com
—
urlhttps://luxtrust-support.com/Luxtrust/
—
urlhttps://luxtrust-support.com/Luxtrust/
—

Counter

ValueDescriptionCopy
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter6
—
counter2
—
counter5
—
counter1
—
counter1
—
counter1
—
counter3
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter2
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter1
—
counter3
—
counter6
—

Text

ValueDescriptionCopy
texthttps://www.circl.lu/pdns/
—
textA
—
text18.117.184.102
—
textluxtrust.help
—
texthttps://www.circl.lu/pdns/
—
textA
—
text18.117.184.102
—
textluxtrust.support
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-137.awsdns-17.com
—
textluxtrust.support
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1028.awsdns-00.org
—
textluxtrust.support
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1684.awsdns-18.co.uk
—
textluxtrust.support
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-566.awsdns-06.net
—
textluxtrust.support
—
texthttps://www.circl.lu/pdns/
—
textSOA
—
textns-566.awsdns-06.net awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
—
textluxtrust.support
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-417.awsdns-52.com
—
textcns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1004.awsdns-61.net
—
textcns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1064.awsdns-05.org
—
textcns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1932.awsdns-49.co.uk
—
textcns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text18.117.184.102
—
textcns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textSOA
—
textns-1064.awsdns-05.org awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
—
textcns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text54.211.144.11
—
textccss-public.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text18.117.184.102
—
textccss-public.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text54.93.211.218
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1809.awsdns-34.co.uk
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-800.awsdns-36.net
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1377.awsdns-44.org
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-185.awsdns-23.com
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text35.177.103.239
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text54.93.211.218
—
textluxtrust.co
—
texthttps://www.circl.lu/pdns/
—
textA
—
text54.93.211.218
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text35.177.103.239
—
texttango-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text35.177.103.239
—
textwww-cns-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text35.177.103.239
—
textluxtrust.co
—
texthttps://www.circl.lu/pdns/
—
textA
—
text3.71.1.255
—
textcns-public.eu
—
texthttps://www.circl.lu/pdns/
—
textA
—
text3.71.1.255
—
textccss-lu.eu
—
texthttps://www.circl.lu/pdns/
—
textA
—
text3.71.1.255
—
textwww-cns-lu.com
—
textHTTPS
—
texthttps://www.circl.lu/pdns/
—
textA
—
text13.48.203.238
—
textluxtrust-cancel.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1194.awsdns-21.org
—
textwww-cns.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1016.awsdns-63.net
—
textwww-cns.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-356.awsdns-44.com
—
textwww-cns.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-2013.awsdns-59.co.uk
—
textwww-cns.com
—
texthttps://www.circl.lu/pdns/
—
textSOA
—
textns-356.awsdns-44.com awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
—
textwww-cns.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text13.48.203.238
—
textwww-cns.com
—
text3705060
—
textYes
—
textCCSS
—
textAmazon Technologies Inc.
—
texthttps://www.circl.lu/pdns/
—
textA
—
text35.180.136.109
—
textluxtrust-unlock.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1769.awsdns-29.co.uk
—
textluxtrust-unlock.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-668.awsdns-19.net
—
textluxtrust-unlock.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1148.awsdns-15.org
—
textluxtrust-unlock.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-508.awsdns-63.com
—
textluxtrust-unlock.com
—
texthttps://www.circl.lu/pdns/
—
textSOA
—
textns-1769.awsdns-29.co.uk awsdns-hostmaster.amazon.com 1 7200 900 1209600 86400
—
textluxtrust-unlock.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-296.awsdns-37.com
—
textccss-sante-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-920.awsdns-51.net
—
textccss-sante-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1790.awsdns-31.co.uk
—
textccss-sante-lu.com
—
texthttps://www.circl.lu/pdns/
—
textNS
—
textns-1129.awsdns-13.org
—
textccss-sante-lu.com
—
texthttps://www.circl.lu/pdns/
—
textA
—
text35.180.136.109
—
textccss-sante-lu.com
—
textcom
—
text/index.php
—
textpublic-ccss
—
texthttps://www.circl.lu/pdns/
—
textA
—
text51.20.69.186
—
textpublic-ccss.com
—
textlu
—
text/index.php
—
text?success=validatedok
—
texthelp-luxtrust
—
text3772453
—
textabuse@amazonaws.com
—
textYes
—
textCCSS
—
textinfoluxtrust
—
text/steps/luxtrust/
—
textluxtrust
—
textYes
—
text3801349
—
textguichet
—
texthttps://t.ly/ROJIS
—
text% WHOIS card-order.lu domainname: card-order.lu domaintype: ACTIVE nserver: ns1.eurodns.com nserver: ns2.eurodns.com nserver: ns3.eurodns.com nserver: ns4.eurodns.com ownertype: ORGANISATION registered: 03/05/2024 org-name: ORANGE Lyon org-address: 10 Parc de la TĂȘte d'Or org-zipcode: 69100 org-city: Lyon - 09 org-country: FR adm-name: duval nico adm-address: ORANGE Lyon adm-address: 10 Parc de la TĂȘte d'Or adm-zipcode: 69100 adm-city: Lyon - 09 adm-country: FR adm-email: wailbanaid93500@gmail.com tec-name: Adlani Anouar tec-address: EuroDNS S.A tec-address: 2, rue Leon Laval tec-zipcode: L-3372 tec-city: Leudelange tec-country: LU tec-email: hostmaster@eurodns.com
—
texthttps://payconiq.direct/index.php
—
textYes
—
textYes
—
textYes
—
textYes
—
textYes
—
textYes
—
textYes
—
textYes
—
textYes
—

Datetime

ValueDescriptionCopy
datetime2023-12-07T13:42:52+00:00
—
datetime2023-12-07T13:42:52+00:00
—
datetime2023-12-15T14:56:56+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T07:22:05+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T06:09:53+00:00
—
datetime2023-12-19T07:21:13+00:00
—
datetime2023-12-19T07:21:32+00:00
—
datetime2023-12-19T07:21:32+00:00
—
datetime2023-12-04T15:07:11+00:00
—
datetime2023-12-06T12:43:27+00:00
—
datetime2023-12-07T09:57:23+00:00
—
datetime2023-12-11T12:51:55+00:00
—
datetime2023-12-24T15:17:57+00:00
—
datetime2023-12-29T12:53:49+00:00
—
datetime2023-12-24T15:17:57+00:00
—
datetime2024-01-01T10:11:18+00:00
—
datetime2023-12-24T15:17:57+00:00
—
datetime2024-01-01T10:11:18+00:00
—
datetime2023-12-24T15:17:57+00:00
—
datetime2024-01-01T10:11:18+00:00
—
datetime2023-12-24T15:17:57+00:00
—
datetime2024-01-01T10:11:18+00:00
—
datetime2024-01-01T10:11:18+00:00
—
datetime2024-01-01T18:02:49+00:00
—
datetime2023-12-28T07:20:46+00:00
—
datetime2023-12-28T07:20:46+00:00
—
datetime2023-12-24T15:17:57+00:00
—
datetime2023-12-29T12:53:49+00:00
—
datetime2024-01-01T06:20:20+00:00
—
datetime2024-01-01T10:19:23+00:00
—
datetime2024-01-01T10:11:18+00:00
—
datetime2024-01-01T18:02:49+00:00
—
datetime2024-01-02T13:42:31+00:00
—
datetime2024-01-02T13:42:31+00:00
—
datetime2024-01-10T14:00:09+00:00
—
datetime2024-01-10T14:00:09+00:00
—
datetime2024-01-11T09:15:56+00:00
—
datetime2024-01-11T09:15:56+00:00
—
datetime2024-01-09T07:44:24+00:00
—
datetime2024-01-16T15:18:05+00:00
—
datetime2024-01-29T08:16:34+00:00
—
datetime2024-01-29T08:16:34+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-26T22:38:10+00:00
—
datetime2024-01-27T06:43:33+00:00
—
datetime2024-01-27T06:43:33+00:00
—
datetime2024-01-26T21:02:34+00:00
—
datetime2024-01-29T08:14:18+00:00
—
datetime2024-02-08T08:49:51+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:55:26+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-08T08:58:25+00:00
—
datetime2024-02-07T07:43:10+00:00
—
datetime2024-02-08T09:02:37+00:00
—
datetime2024-03-07T09:27:05+00:00
—
datetime2024-03-13T10:22:44+00:00
—

Port

ValueDescriptionCopy
port443
—
port443
—
port443
—
port443
—
port443
—
port443
—
port443
—
port443
—
port443
—

As

ValueDescriptionCopy
as16509
—

Threat ID: 68359c9f5d5f0974d01fc2ef

Added to database: 5/27/2025, 11:06:07 AM

Last enriched: 7/5/2025, 10:54:42 PM

Last updated: 7/29/2025, 1:25:54 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats