zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan 9659a052
Scan another →
CACHED Showing previous scan from 1 h ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand OLX scan id 9659a052 duration 23.17s signals 6 failing / 19
Risk score 1.00
100 / 100 · High risk
Tags
URL anatomy olx.paycore-send.sbs
https :// olx . paycore-send . sbs /a/Mi9hTEx3WDI2ODJR ? us=gm
flagged registered domain path protocol / query
Indicators of compromise 6 · click any row to copy
URL hxxps://olx[.]paycore-send[.]sbs/a/Mi9hTEx3WDI2ODJR?us=gm
Host olx[.]paycore-send[.]sbs
Registered domain paycore-send[.]sbs
Brand OLX
Screenshot https://cdn.zerophish.ai/249aca4e-16db-467c-9e81-be40fa0caf47.jpg
Scan ID 9659a052-28e3-4b7e-aaa9-b3ee126c1e54
Detection signals 6 fail · 1 warn · 7 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 19 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis
O
OLX
35%
Technical profile resolved at scan time
Host olx.paycore-send.sbs
Registered domain paycore-send.sbs
Scheme https
Content length 104438 B
HTTP 200 · text/html
JARM 0d39b39b30d30d37d20320327d20122de7c02fe862e334985aa656e5df0651
Redirect hops 1
Analyst summary AI-generated
Initial scan heuristic + LLM

Verdict: Phishing (likely)

The page is presenting itself as an OLX.pl transaction/checkout flow: it shows an item listing title (“Bluza polar dziewczęca rozm.158-164”), buyer/sender details, a total price (“20.00 zł”), and a button “Potwierdź sprzedaż” alongside sections labeled “BEZPIECZEŃSTWO TRANSAKCJI” / “PAKIET OCHRONNY” / “GWARANCJA DOSTAWY”—language commonly used to pressure users into completing a payment or confirmation step.

Key suspicious signals:

  • Domain mismatch / lookalike infrastructure: the URL is on olx.paycore-send.sbs, not an OLX-owned domain (OLX uses domains like olx.pl). Using a subdomain under an unrelated TLD (.sbs) for an OLX-branded transaction is a strong phishing indicator.
  • Checkout-style “safety” messaging: the page claims protection and immediate fund handling (e.g., “Twoje pieniądze są w pełni zabezpieczone” and “zostaną dostarczone po potwierdzeniu transakcji”). Attackers often use reassurance copy to reduce suspicion while leading the user to an action.
  • Action-oriented CTA: “Potwierdź sprzedaż” suggests a confirmation step that could be tied to collecting additional data or initiating a fraudulent payment/authorization flow.
  • Resource hosting inconsistency: images are loaded from mixed origins, including olx.paycore-send.sbs/_next/image?..., rather than being served from OLX’s normal asset/CDN domains.

Because the page imitates OLX’s branding and transaction protections but is hosted on a suspicious third-party domain, the risk of it being a phishing/transaction-stealing page is high.

Recommendation: do not interact with “Potwierdź sprzedaż” from this URL; instead navigate to OLX directly from a trusted bookmark/app and verify the listing/sale there.

🤖 Agent run #1 autonomous investigation

Confirmed multi-stage phishing operation impersonating OLX.pl (Polish classifieds platform) and mBank (Polish bank). The phishing flow spans three stages: (1) a fake OLX product listing for a fleece jacket at 20.00 zł, (2) a fake “Stripe-powered” payment page prompting bank selection from ~20 Polish banks, and (3) a convincing fake mBank login page. Canary bank credentials (login + password) were captured via POST to olx.paycore-send.sbs/api/stripe/event/data with the payload including bank_id, bank_name, and event_type “enter_lk_data”. The phishing kit also uses api.ip.sb for victim geo-IP lookups. All hostile infrastructure is on a single Cloudflare-backed host at 188.114.97.3.