zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 6b8db53c
Scan another →
CACHED Showing previous scan from 1 h ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Unknown scan id 6b8db53c duration 24.91s signals 8 failing / 34
Risk score 1.00
100 / 100 · High risk
Tags
URL anatomy pesquisabr.online
https :// pesquisabr . online /inicio/
flagged registered domain path protocol / query
Why this verdict 13 contributing signals · model gpt-5.4-nano
×
Email-auth posture (SPF/DMARC)
No DMARC record — domain trivially spoofable in phishing email
↑ risk
!
CAA issuer restriction
No CAA record — any certificate authority may issue a cert for this domain (phishing infra rarely sets CAA)
↑ risk
!
DNSSEC signing
Zone is not DNSSEC-signed — phishing domains are almost never signed
↑ risk
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
↓ risk
Credential collection form
No credential collection form on visible content
↓ risk
Visual similarity to known brand
Brand presentation matches the registered owner
↓ risk
Favicon impersonation
Favicon matches the registered owner
↓ risk
SSL certificate
Served over HTTPS · valid TLS certificate
↓ risk
Brand-in-subdomain attack
No known brand label in subdomain
↓ risk
Homoglyph attack
ASCII only · no mixed-script characters detected
↓ risk
Domain randomness (DGA/entropy)
Registrable label "pesquisabr" reads as pronounceable / brand-like (randomness 40%)
↓ risk
Page language
Detected page language: Portuguese (pt) — best-effort
↓ risk
Credential-harvest cookie/localStorage key
Client-side storage read · 4 cookie/localStorage key(s) · none named like a credential
↓ risk
enrichment used: dns network jarm asn
Indicators of compromise 4 · click any row to copy
URL hxxps://pesquisabr[.]online/inicio/
Host pesquisabr[.]online
Screenshot https://cdn.zerophish.ai/eec51401-35b7-4262-b983-e89e6258a35c.jpg
Scan ID 6b8db53c-336b-4634-9eee-f80b7b51751e
Detection signals 8 fail · 5 warn · 10 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 34 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis

No brand impersonation signals available.

Technical profile resolved at scan time
Host pesquisabr.online
Registered domain pesquisabr.online
Scheme https
Content length 46773 B
HTTP 200 · text/html
DMARC policy none
SPF policy soft
MX records present
Analyst summary AI-generated
Initial scan heuristic + LLM

The page presents itself as an “educational” platform to “consulte gratuitamente seu CPF” (check your CPF) and says it has “Sem vínculo com bancos ou órgãos oficiais.” The HTML contains no visible login/credential form, password field, or payment/OTP collection, and it explicitly claims “Nenhum dado sensível é solicitado.”

However, the domain (pesquisabr.online) is not associated with any official CPF authority and the copy promises to identify “registros financeiros vinculados” that users may expect from government/financial institutions. While the current HTML looks like a lead-in landing page (“Iniciar consulta”) rather than a direct form submission, it still could be part of a multi-step flow that later collects personal data. Overall, evidence of active credential harvesting is insufficient, so the verdict is conservative.

Suspicious signals are present primarily at the branding/authority level (independent platform vs. CPF-related promise) and the generic marketing/redirect parameters, but no direct phishing form elements were found in the provided content.

🤖 Agent run #1 autonomous investigation

This is a confirmed phishing operation impersonating Serasa (Brazilian credit bureau). The landing page at /inicio/ poses as an “educational CPF consultation platform,” but clicking “Iniciar consulta” leads to /offer/ — a chat-like interface branded with Serasa logos, fake “people online” counters, and “Equipe Serasa” imagery. The page harvests CPF numbers (Brazilian tax IDs) via a textbox that submits to /proxy-octahub?cpf=XXXXXXXXXXX on the same domain, which proxies to an external backend at octahub.com.br (IP: 217.21.67.216). The infrastructure uses utmify.com.br for victim tracking (pixel ID 6a26f8518b7dbfbf1c9d770d), capturing IP, geolocation, user agent, and Facebook pixel data. No credential exfiltration to off-primary domains was directly observed — the CPF data goes through the primary domain’s proxy endpoint before reaching the octahub backend.