Phishing attempt on a "free 3 months nitro from Steam"

Phishing
,
1

Found an interesting target
This link has started spreading around online: https://dlscord.shop/steam/giveaway-nitro#
Dlscord.shop has been registered first on reg.ru

Traceroute
traceroute to dlscord.shop (95.181.157.36), 30 hops max, 60 byte packets
1 ip-10-0-0-14.ec2.internal (10.0.0.14) 0.808 ms 0.780 ms 0.773 ms
2 216.182.226.52 (216.182.226.52) 29.411 ms 216.182.229.174 (216.182.229.174) 19.300 ms 216.182.229.186 (216.182.229.186) 3.652 ms
3 100.65.120.144 (100.65.120.144) 2.531 ms 100.65.82.80 (100.65.82.80) 4.868 ms 100.65.80.0 (100.65.80.0) 6.202 ms
4 100.66.40.158 (100.66.40.158) 19.212 ms 100.66.15.130 (100.66.15.130) 20.775 ms 100.66.60.238 (100.66.60.238) 6.434 ms
5 241.0.4.193 (241.0.4.193) 1.436 ms 241.0.4.216 (241.0.4.216) 1.418 ms 241.0.4.196 (241.0.4.196) 1.431 ms
6 240.0.40.30 (240.0.40.30) 1.413 ms 241.0.4.208 (241.0.4.208) 1.185 ms 240.0.40.23 (240.0.40.23) 1.196 ms
7 242.0.171.17 (242.0.171.17) 1.423 ms 240.0.40.25 (240.0.40.25) 1.068 ms 242.0.171.129 (242.0.171.129) 17.541 ms
8 52.93.28.177 (52.93.28.177) 1.802 ms 52.93.28.173 (52.93.28.173) 4.219 ms 3.641 ms
9 100.100.28.32 (100.100.28.32) 2.408 ms 100.100.4.74 (100.100.4.74) 2.247 ms 100.100.4.72 (100.100.4.72) 2.241 ms
10 100.100.28.4 (100.100.28.4) 1.769 ms 100.100.4.64 (100.100.4.64) 1.888 ms 99.83.67.205 (99.83.67.205) 2.134 ms
11 ae33-xcr1.ltw.cw.net (195.2.24.246) 99.503 ms 100.100.4.66 (100.100.4.66) 14.219 ms 100.100.4.72 (100.100.4.72) 14.224 ms
12 100.100.4.78 (100.100.4.78) 14.165 ms 99.83.67.205 (99.83.67.205) 14.235 ms 13.812 ms
13 et-10-3-0-xcr1.att.cw.net (195.2.8.90) 97.248 ms ae4-pcr1.adr.cw.net (195.2.31.14) 92.287 ms 92.287 ms
14 ae4-pcr1.adr.cw.net (195.2.31.14) 92.322 ms ae8-xcr2.nyk.cw.net (195.2.30.189) 114.181 ms ae33-xcr1.ltw.cw.net (195.2.24.246) 99.505 ms
15 et-10-3-0-xcr1.att.cw.net (195.2.8.90) 85.772 ms 91.108.51.2 (91.108.51.2) 123.909 ms 217.161.82.229 (217.161.82.229) 102.932 ms
16 91.108.51.2 (91.108.51.2) 122.482 ms 109.239.134.135 (109.239.134.135) 128.279 ms 127.434 ms
17 91.108.51.2 (91.108.51.2) 121.942 ms * 217.161.82.229 (217.161.82.229) 104.110 ms
18 91.108.51.2 (91.108.51.2) 120.359 ms * *
19 * 185.121.240.251 (185.121.240.251) 120.743 ms *
20 * * *
21 reverse.proxy (95.181.157.36) 119.464 ms 121.772 ms *

Seems like a reverse proxy.
Nmap returned an open MySQL port. Well, all the ports are open but they are faked, however 3306 is open, 25, 22, 80, 443 and 2046

Seems like compromised accounts are sending the messages