zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 049c03f8
Scan another →
CACHED Showing previous scan from 2 h ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Facebook scan id 049c03f8 duration 28.89s signals 5 failing / 25
Risk score 1.00
100 / 100 · High risk
Tags
URL anatomy omerguzelim.github.io
http :// omerguzelim . github . io /Facebook
flagged registered domain path protocol / query
Why this verdict 11 contributing signals · model gpt-5.4-nano
×
Credential collection form
Credential collection form detected on the page
↑ risk
×
Favicon impersonation
Favicon visually matches Facebook · not served by the legitimate domain
↑ risk
×
SSL certificate
Served over plaintext HTTP
↑ risk
×
Email-auth posture (SPF/DMARC)
No DMARC record — domain trivially spoofable in phishing email
↑ risk
!
Visual similarity to known brand
55% partial similarity to Facebook
↑ risk
!
DNSSEC signing
Zone is not DNSSEC-signed — phishing domains are almost never signed
↑ risk
Brand typo-squat detected
Registered brand domain
↓ risk
Brand-in-subdomain attack
No known brand label in subdomain
↓ risk
Homoglyph attack
ASCII only · no mixed-script characters detected
↓ risk
Domain randomness (DGA/entropy)
Registrable label "github" reads as pronounceable / brand-like (randomness 25%)
↓ risk
CAA issuer restriction
CAA restricts certificate issuance to: letsencrypt.org, sectigo.com, digicert.com
↓ risk
enrichment used: dns network jarm asn
Indicators of compromise 6 · click any row to copy
URL hxxp://omerguzelim[.]github[.]io/Facebook
Host omerguzelim[.]github[.]io
Registered domain github[.]io
Brand Facebook
Screenshot https://cdn.zerophish.ai/9a6239ae-a306-46f9-96d6-0cccb9759887.jpg
Scan ID 049c03f8-abf3-43d6-bfb6-2ce5bac45e48
Related detections 1 other scan on this registered domain
533 d ago
 PHISHING app-trzor-suite-cdn.github.io view →
Detection signals 5 fail · 2 warn · 5 pass
Brand typo-squat detected
Registered brand domain
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
×
Credential collection form
Credential collection form detected on the page
high
!
Visual similarity to known brand
55% partial similarity to Facebook
high
×
Favicon impersonation
Favicon visually matches Facebook · not served by the legitimate domain
medium
×
SSL certificate
Served over plaintext HTTP
low
DNS reputation
Awaiting analysis
medium
showing 8 of 25 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation social
F
Facebook
facebook.com
55%
Technical profile resolved at scan time
Host omerguzelim.github.io
Registered domain github.io
Scheme http
Content length 4435 B
HTTP 200 · text/html
DMARC policy none
SPF policy strict
MX records none
Analyst summary AI-generated
Initial scan heuristic + LLM

What the page is presenting

The page imitates a Facebook login screen (Turkish UI) with the heading text: “Facebook tanıdıklara iletişim kurmanı ve hayatında olup bitenleri paylaşmanı sağlar.” It includes a typical sign-in card with inputs for an email/phone and a password.

Key phishing signals found

  • Credential collection form present: There is an <input type="email" placeholder="Eposta veya Telefon Numarası"> and <input type="password" placeholder="Şifre">, plus a login button labeled “GİRİŞ YAP.” This is a direct harvesting target for account credentials.
  • Brand impersonation via look/feel: The page uses Facebook branding assets, including an icon link <link rel="shortcut icon" href="img/Facebook_Logo_(2019).png"> and an on-page logo <img src="img/Facebook-Logo.png" ...>, alongside extensive Facebook/Meta navigation links in the footer.
  • URL/hosting mismatch: The URL is http://omerguzelim.github.io/Facebook (a GitHub Pages subpath), not a real Facebook-owned domain (e.g., facebook.com). This domain discrepancy is a strong indicator that the form is not authentic.
  • Suspicious login action wiring: The login control is an anchor <a href="#" class="login">GİRİŞ YAP</a> with no real form action shown in the simplified HTML, which is common in front-end-only phishing mockups or scripts that submit credentials via JavaScript/back-end not visible here.

Brand identification and domain relation

  • Identified brand: Facebook (explicit in the page title “Facebook - Giriş Yap veya Kaydol” and the UI copy).
  • Real-domain check: The host is github.io, not a Facebook registered domain. Even though the branding looks familiar, the site is not served from Facebook’s legitimate domain, which makes it highly likely to be fraudulent.

Conclusion

Given the presence of a password + email/phone collection UI, the strong Facebook visual impersonation, and the clear non-Facebook hosting domain (omerguzelim.github.io), this page is very likely a phishing site designed to steal Facebook credentials.

🤖 Agent run #1 autonomous investigation

This is a confirmed Facebook phishing page hosted on GitHub Pages at omerguzelim.github.io/Facebook/. The page is a Turkish-language Facebook login clone with email/phone and password credential fields, Facebook branding (logo, UI styling), and standard Facebook footer links — all rendered on a non-Facebook domain. The credential-exfil mechanism did not fire during probing (no JavaScript loaded, no form action POST observed, no off-primary requests beyond the benign Font Awesome CDN), which suggests either the attacker’s backend was taken down, the exfiltration script wasn’t deployed, or this is a template staged for future use. Nonetheless, the page is unmistakably a phishing frontend: it impersonates Facebook, collects credentials, and has no legitimate reason to exist on a random GitHub Pages account.