mass.report
Scan Intelligence Report0/100
low Risk
sonicrefs.su
https://sonicrefs.su/
IP
104.21.3.150 · Cloudflare, Inc.
Location
Toronto, Canada
Domain Age
—
HTTP
200 · 19.4s
SSL
Valid· WE1, Google Trust Services, US
Status
COMPLETED
KB/IOK Matches (0)—
No KB/IOK detections were recorded for this scan.
Sonic Refunds
Credential Phishingfinance | ecommerce | technology | payments · 4/5/2026
Summary
This site at sonicrefs.su presents itself as a real service branded Sonic Refunds, claiming to be the #1 Refund Service Worldwide. The page title, meta tags, and visual assets strongly impersonate a legitimate refund service, while the domain does not belong to the brand (sonicrefs.su vs a likely legitimate Sonic Refunds domain). The SPA loads multiple JS assets and fonts, suggesting dynamic credential capture via client-side code. The presence of Cloudflare infrastructure and a modern SPA architecture further indicates an intent to harvest user data under a trusted-appearing brand facade.
Attack Techniques (5)
Typosquatting/brand impersonation via non-official domain sonicrefs.suCloned SPA-like UI rendering credentials via JavaScript bundles (index-CM-eCAEo.js, vendor-Ct4PJp1h.js, ui-CEtOmfko.js)Brand assets and fonts loaded to imitate Sonic Refunds (logo-like visuals, fonts from Google/Font sources)External analytics beacon (cloudflareinsights.beacon) used to track visitors0 static HTML forms; credentials likely captured via dynamically rendered forms in SPA
Indicators of Compromise (6)
▸DOMAIN: sonicrefs.su (IOC)
▸PAGE TITLE: Sonic Refunds - #1 Refund Service Worldwide (brand impersonation)
▸NETWORK: assets/index-CM-eCAEo.js, vendor-Ct4PJp1h.js, ui-CEtOmfko.js (likely credential capture logic)
▸NETWORK: https://static.cloudflareinsights.com/beacon.min.js (common but used in obfuscated tracking in phishing pages)
▸GOOGLE/Fonts: Orbitron, Rajdhani, Inter fonts loaded to mirror branding
▸SSL Cert: valid Jan 19 2026 to Apr 19 2026 issued by Google Trust Services (CN sonicrefs.su) — recent and potentially indicative of phishing preparation
Risk AssessmentUsed in abuse reports
Scanner observed the live page rendering Sonic Refunds branding within a domain not controlled by the brand. The page uses a SPA with external JavaScript bundles likely designed to capture credentials, and the static HTML contains no forms, indicating credential harvesting via JavaScript. The domain sonicrefs.su is unrelated to the legitimate Sonic Refunds domain and employs Cloudflare, suggesting attempt to evade basic scans while delivering an impersonation to real users. The SSL certificate is recently issued and active for a short period, which increases risk. This constitutes high-risk credential phishing targeting users of a known refund service; abuse teams should treat this as impersonation and immediate takedown-worthy.
Recommended Action
Monitor
Cross-Reference8
URL Intelligence
Domain Intelligence
IP Intelligence
Public threat feed available — JSON API