0/100

critical Risk

guileless-mooncake-6f836c.netlify.app

https://guileless-mooncake-6f836c.netlify.app/

18.208.88.157 · AWS EC2 (us-east-1)

Location

Ashburn, United States

Domain Age

2865 days

HTTP

200 · 27.6s

SSL

Valid· DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc, US

Status

COMPLETED

Visual Evidence

Screenshot of guileless-mooncake-6f836c.netlify.app

Zoom

Title: "Sign in to Xfinity"

Save

Registered-domain escalation

Submit netlify.app as the primary IOC, enriched with evidence from hostile subdomains like guileless-mooncake-6f836c.netlify.app.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Xfinity

Credential Phishing

Summary

This site at guileless-mooncake-6f836c.netlify.app is impersonating Xfinity by presenting a Sign in to Xfinity page. The page title and UI resemble Xfinity’s login flow, yet the domain is not an official Xfinity domain. The page loads a login form and collects credentials, indicating credential harvesting attempts.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Canonical stage contains password collection UI.

▸Off-domain submission or API endpoints observed: https://api.ipify.org/?format=json.

▸Distinctive asset clues: 3.4.17, css2.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 1

Password fields: 1

Late-stage login UI: No

Resource Signals

Resources: 11

Hosts: 6

Domains: 6

Suspicious Endpoints

hxxps://guileless-mooncake-6f836c[.]netlify[.]app/

hxxps://api[.]ipify[.]org/?format=json

hxxps://guileless-mooncake-6f836c[.]netlify[.]app/$%7BbaseURL%7Dmain

Off-Domain Posts

hxxps://api[.]ipify[.]org/?format=json

Attack Techniques (4)

Typosquat or brand impersonation via non-official domain (guileless-mooncake-6f836c.netlify.app) claiming to be XfinityCloned SPA/login UI resembling Xfinity with password field and single credential formBrand assets or UI cues (text: 'Sign in to Xfinity') loaded from a third-party hosting domainOff-domain or external API reference observed (ipify) to fingerprint or exfiltrate data

Indicators of Compromise (6)

▸DOMAIN: guileless-mooncake-6f836c.netlify.app (suspect for impersonation)

▸PAGE TITLE: 'Sign in to Xfinity' indicating brand impersonation

▸NETWORK REQUEST: API endpoints including https://api.ipify.org/?format=json suggesting data exfiltration attempts

▸FORM: Login form with password input present in HTML and observed credential signals

▸SSL: Valid certificate issued to *.netlify.app (newly issued within a year) on a free hosting domain

▸WHOIS: Domain age 2865 days; registrar Name.com, but hosting via netlify.app

Risk AssessmentUsed in abuse reports

The page presents a credible credential phishing setup targeting Xfinity users. The non-official domain hosting a page with the exact branding and a password field constitutes impersonation and credential harvesting. The page includes a login form and uses external scripts/assets to render a Tailwind-based UI that mimics the legitimate service, and it contacts an off-domain endpoint (api.ipify.org) that could be used for exfiltration. Given the brand mismatch, the page poses a high risk to end users; immediate action to suspend domain and block hosting URL is recommended, with monitoring for related domains and screensharing of similar clones.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence