zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 39885481
Scan another →
CACHED Showing previous scan from 11 d ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Unknown scan id 39885481 duration 13.26s signals 4 failing / 17
Risk score 1.00
100 / 100 · High risk
Tags
URL anatomy kleinanzeigen-deutsch.id73249.info
https :// kleinanzeigen-deutsch . id73249 . info /getpaymentm/247094252/m2
flagged registered domain path protocol / query
Indicators of compromise 5 · click any row to copy
URL hxxps://kleinanzeigen-deutsch[.]id73249[.]info/getpaymentm/247094252/m2
Host kleinanzeigen-deutsch[.]id73249[.]info
Registered domain id73249[.]info
Screenshot https://cdn.zerophish.ai/2ca854ae-db56-4261-85fe-11fff0f4c0d8.jpg
Scan ID 39885481-c18a-481a-a823-72b9a9a581a9
Detection signals 4 fail · 1 warn · 7 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 17 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis

No brand impersonation signals available.

Technical profile resolved at scan time
Host kleinanzeigen-deutsch.id73249.info
Registered domain id73249.info
Scheme https
Content length 44217 B
HTTP 200 · text/html
JARM 0d39b39b30d30d37d20320327d20122de7c02fe862e334985aa656e5df0651
Analyst summary AI-generated
Initial scan heuristic + LLM

Verdict: Phishing (likely)

What the page is presenting itself as

The URL kleinanzeigen-deutsch.id73249.info/getpaymentm/... serves a Cloudflare-branded block page titled “Suspected Phishing”. The content is essentially an interstitial warning page telling visitors the site has been reported for phishing.

Suspicious elements observed

  • Untrusted domain / brand mismatch: The domain kleinanzeigen-deutsch.id73249.info is not the legitimate registered domain for Kleinanzeigen (the real brand uses kleinanzeigen.de). The presence of a long/odd subdomain-like structure (id73249.info) and a path resembling a payment flow (getpaymentm/247094252/m2) are strong phishing infrastructure signals.
  • Phishing-discovery interstitial: The HTML explicitly states: “This website has been reported for potential phishing.” This indicates the hosting/network detected/flagged the site as malicious.
  • Suspicious “proceed” behavior: A bypass form includes a disabled button “Ignore & Proceed” wrapped in a form targeting /cdn-cgi/phish-bypass. Even though the button is disabled in this snapshot, the existence of a bypass mechanism is consistent with abusive “blocked page then continue” patterns.

Credential collection assessment

  • No login/password fields or credential-collection form are visible in the provided HTML. The only form shown is the Cloudflare phishing-bypass interstitial.

Favicon impersonation

  • No favicon element/content is provided here, so favicon impersonation cannot be confirmed.

Brand identification and URL relationship

  • The URL suggests a Kleinanzeigen-like impersonation via the string kleinanzeigen-deutsch, but the host is a .info domain under a different registrable domain (id73249.info), not the brand’s real domain.

Confidence

High: the combination of an obviously unrelated domain, a payment-like path, and Cloudflare’s explicit “Suspected Phishing” classification strongly indicates phishing.

🤖 Agent run #1 autonomous investigation

The URL kleinanzeigen-deutsch.id73249.info/getpaymentm/247094252/m2 is a phishing page impersonating the German classifieds platform Kleinanzeigen (formerly eBay Kleinanzeigen). However, the page is currently behind a Cloudflare anti-phishing block that prevents access to the actual phishing content — Cloudflare itself has flagged this domain as “Suspected Phishing” and disabled the bypass button. The subdomain resolves to Cloudflare’s proxy IP (104.21.27.8), meaning the true origin server is hidden behind Cloudflare. The URL path /getpaymentm/247094252/m2 strongly suggests a multi-stage phishing flow — likely a payment/credit-card harvesting step (m2 = stage 2) following an initial credential-harvest step. The credential-exfil backend could not be identified because the Cloudflare block prevented interaction with the underlying phishing form.