URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL
The full anatomy of a phishing site,
one URL at a time.
ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.
100 scans / day · free
·
typical scan 2–4 s
·
try
SAFE · HIGH CONFIDENCE
No phishing signals detected
Risk score
0.05
5 / 100 · Low risk
URL anatomy
https
://
golem
.
de
flagged
registered domain
path
protocol / query
Indicators of compromise
| URL | hxxps://golem[.]de | |
| Host | golem[.]de | |
| Brand | Golem | |
| Screenshot | https://cdn.zerophish.ai/49ffd45d-2959-4ad7-bf63-5fada94217ad.jpg | |
| Scan ID | 2f3a9ae2-3157-434d-ad0b-2d68ee9e8600 |
Related detections
|
512 d ago
|
REVIEW | www.golem.de | safe |
|
518 d ago
|
REVIEW | www.golem.de | safe |
|
519 d ago
|
REVIEW | www.golem.de | safe |
Detection signals
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
Visual similarity to known brand
100% structural similarity to Golem
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 12 ·
Captured page
Brand impersonation
G
Golem
100%
Technical profile
| Host | golem.de |
| Registered domain | golem.de |
| Scheme | https |
| Content length | 58441 B |
| HTTP | 200 · text/html |
| JARM | 9b39b39b39b39b38c28c28c28c260269df93750a404486d78244c5e1b4ae04 |
| Redirect hops | 3 |
Analyst summary
Initial scan
What the page is
This page is a cookie-consent and subscription prompt for Golem.de (an IT news site). It asks users to “Cookies zustimmen” and provides privacy/cookie information and links to “Datenschutz,” “Impressum,” and “Golem pur.”
Suspicious elements checked (and what I found)
- Credential/credential-collection forms: None. The HTML contains a link labeled “Hier anmelden” to an account portal, but there is no visible password/login form or input fields in the provided HTML; nothing is submitting credentials to an attacker.
- Fake security warnings / urgent account issues: None. There are no messages like “your account is compromised,” “verify now,” or similar urgency cues—only cookie consent and subscription information.
-
Brand mismatch / lookalike domain tricks: The page branding, title, and logo all match the URL and domain:
- HTML title: “Golem”
-
Logo link:
href="https://www.golem.de/"with “Golem.de - IT-News für Profis” - Header text: “Willkommen auf Golem.de!”
-
Primary links point to
https://www.golem.de/...This strongly indicates legitimate site content rather than impersonation.
-
Suspicious redirects / off-brand external targets: There are redirect links under the same site umbrella (e.g.,
https://redirect.golem.de/...). This is consistent with first-party marketing flows, not a sudden jump to unrelated domains.
URL vs. presented brand
-
URL:
https://golem.de - Brand presented: Golem / “Golem.de”
-
The URL’s domain matches the brand shown in the content, and internal links use
www.golem.deandaccount.golem.de, which are consistent with a real publisher/site.
Conclusion
Verdict: Legitimate. The content is consistent with a normal cookie-consent and subscription onboarding flow for Golem.de, with no credential-harvesting form and no classic phishing cues (fake security alerts, urgent account verification, or cross-domain brand impersonation).