zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 573548db
Scan another →
CACHED Showing previous scan from 3 h ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Instagram scan id 573548db duration 20.58s signals 7 failing / 19
Risk score 1.00
100 / 100 · High risk
Tags
URL anatomy instagram-login-page-two.vercel.app
http :// instagram-login-page-two . vercel . app /
flagged registered domain path protocol / query
Indicators of compromise 6 · click any row to copy
URL hxxp://instagram-login-page-two[.]vercel[.]app/
Host instagram-login-page-two[.]vercel[.]app
Registered domain vercel[.]app
Brand Instagram
Screenshot https://cdn.zerophish.ai/5a8ed554-9ae2-421e-a38c-d759cd12e454.jpg
Scan ID 573548db-0259-4b43-8d02-b938d4e24afd
Related detections 1 other scan on this registered domain
521 d ago
 PHISHING office365-mauve.vercel.app view →
Detection signals 7 fail · 4 warn · 3 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
×
Credential collection form
Credential collection form detected on the page
high
×
Visual similarity to known brand
85% structural similarity to Instagram
high
Favicon impersonation
Favicon matches the registered owner
medium
×
SSL certificate
Served over plaintext HTTP
low
DNS reputation
Awaiting analysis
medium
showing 8 of 19 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis
I
Instagram
instagram.com
85%
Technical profile resolved at scan time
Host instagram-login-page-two.vercel.app
Registered domain vercel.app
Scheme http
Content length 40737 B
HTTP 200 · text/html
JARM 7939b39b37937938c29629628c260286f3d82c0d5f5c56c1c29a72a8aa219f
Redirect hops 2
Analyst summary AI-generated
Initial scan heuristic + LLM

Verdict: Phishing

This page impersonates Instagram using the Instagram-branded layout and UI copy, but it is hosted on a suspicious, non-official domain.

What the page presents itself as

  • The page title and visible header are “Instagram”.
  • The primary action is “Log in” and there is an option for “Log in with Facebook.”
  • There are supporting links like “Forgot password?” and “Sign up.”

Suspicious elements found

  • Credential collection UI: There is a login form in the HTML: <form class="login-form"> with a submit button “Log in”. Even though the simplified HTML does not show input fields, this type of form is consistent with phishing credential harvesting.
  • Brand impersonation on a non-brand domain: The URL is http://instagram-login-page-two.vercel.app/. Instagram’s real domains are typically instagram.com (or related Meta-owned domains). A “login-page-two” path on a vercel.app subdomain is a strong impersonation indicator.
  • Lookalike branding: The page includes an Instagram mockup image from static.cdninstagram.com/.../screenshot1.png and uses Instagram header/logo text, aiming to appear authentic.

Brand vs. URL check

  • Identified brand: Instagram.
  • Domain match: The host instagram-login-page-two.vercel.app does not belong to Instagram’s registered domain set (e.g., not instagram.com). This mismatch is a high-confidence phishing signal.

Conclusion

Because the page imitates Instagram’s login flow while being hosted on a non-official, suspicious subdomain, it should be treated as phishing. The presence of a login form UI further increases the likelihood that credentials will be harvested.

🤖 Agent run #1 autonomous investigation

This is a confirmed Instagram credential-phishing page hosted on Vercel at instagram-login-page-two.vercel.app (216.198.79.67). The page faithfully impersonates Instagram’s login UI with the brand heading, mockup screenshots hotlinked from Instagram’s real CDN (static.cdninstagram.com), and fields for username/email and password. After three separate canary-credential submissions (click, Enter, varying wait times up to 8s), no credential POST to any off-primary host was observed — the form appears to either use a GET method with unnamed fields or rely on server-side logging of the navigation itself. No secondary exfil backend was identified; the Vercel deployment IS the sole hostile host. All auxiliary links (“Forgot password?”, “Sign up”, “Log in with Facebook”) are dead # anchors, confirming this is a single-purpose credential harvester.