Notes: The privacy‑protected registration makes attribution difficult. The registrar (NameCheap) is a popular choice for malicious actors because of its cheap pricing and low verification friction. | Component | Details | |-----------|---------| | IP Address (A record) | 52.210.174.44 (Amazon AWS EC2, us‑east‑1) | | Reverse DNS | ec2-52-210-174-44.compute‑1.amazonaws.com | | Hosting Provider | Amazon Web Services – EC2 (t3.micro) | | CDN / WAF | Cloudflare (CNAME instapv.link.cdn.cloudflare.net present intermittently – likely used for traffic obfuscation) | | TLS Certificate | Sectigo RSA Domain Validation – SHA‑256, 2048‑bit RSA, valid until 23 Mar 2025. | | Web Server | Nginx 1.24 (detected via HTTP headers) | | Technology Stack | HTML5, jQuery 3.7, custom JavaScript obfuscator ( jsobfuscator.io ), Google Analytics (UA‑ UA‑XXXXX‑Y ) | | Redirect Chain | instapv.link → https://instapv.link/redirect?c=xxxx (302) → https://short.url/ABCD (301) → https://shop.myshopify.com/collections/... | | Malicious Scripts | Keylogger (embedded via https://cdn.jsdelivr.net/npm/keycode – suspicious version 1.3.0) Credential‑harvester – HTML form with action="https://api-instapv.com/collect" (POST of username , password ) | 4. Content & Behaviour Analysis 4.1 Landing Page (snapshot 07‑Apr‑2026) | Element | Description | |---------|-------------| | Title | “Instant Photo & Video – Get More Followers Today!” | | Header | Large banner image showing a stylised Instagram logo merged with a camera. | | Copy | “Enter your Instagram credentials to link your account and start gaining instant likes and views.” | | Form Fields | Instagram Username , Instagram Password , optional Phone number | | Call‑to‑Action | “Connect My Instagram” (button) | | Hidden iFrames | Two invisible iframes loading https://cdn.jsdelivr.net/.../analytics.js and https://track.instapv.link/collect (likely for session tracking). | | Redirect Logic | Upon successful form submission, JavaScript sends credentials via XHR to api-instapv.com and then redirects the victim to a legitimate‑looking Shopify store where they are prompted for a “subscription” payment (card details). | 4.2 Observed Campaigns | Campaign ID | Distribution Channel | Sample Message | Landing URL | |------------|----------------------|----------------|------------| | PH‑2024‑001 | Bulk SMS (US numbers) | “Your Instagram likes are low! Click to boost instantly 👉 instapv.link/boost” | https://instapv.link/boost | | PH‑2024‑007 | Instagram DM (spam accounts) | “Hey, I saw your profile – check this out: https://instapv.link/secret” | https://instapv.link/secret | | PH‑2024‑023 | Phishing email (spoofed Instagram) | “We noticed suspicious login attempts. Verify your account: instapv.link/verify” | https://instapv.link/verify | Video Ngintip Masturbasi Cewek Indonesia Untuk Hp Hit Hit Best - Woman."