zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan a1b1d10b
Scan another →
CACHED Showing previous scan from 12 d ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Amazon scan id a1b1d10b duration 11.09s signals 1 failing / 12
Risk score 0.92
92 / 100 · High risk
Tags
URL anatomy amazongroup44.com
https :// amazongroup44 . com /
flagged registered domain path protocol / query
Indicators of compromise 5 · click any row to copy
URL hxxps://amazongroup44[.]com/#/reg?t=689221
Host amazongroup44[.]com
Brand Amazon
Screenshot https://cdn.zerophish.ai/c0c51113-96ac-433b-a84e-08009c4ef346.jpg
Scan ID a1b1d10b-e687-47b1-a0e8-3d9b5d82671a
Related detections 1 other scan on this registered domain
14 d ago
 PHISHING amazongroup44.com view →
Detection signals 1 fail · 0 warn · 6 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
×
Credential collection form
Credential collection form detected on the page
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 12 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis
A
Amazon
amazon.com
22%
Technical profile resolved at scan time
Host amazongroup44.com
Registered domain amazongroup44.com
Scheme https
Content length 303826 B
HTTP 200 · text/html
Analyst summary AI-generated
Initial scan heuristic + LLM

Verdict: Phishing

This page presents itself as Amazon (“<title>Amazon</title>”, and the UI heading “Sign up”), but the URL is https://amazongroup44.com—not Amazon’s real domain. The overall structure is a registration flow intended to harvest credentials.

Suspicious elements found

  • Credential collection form (high risk): The page contains a form with fields that strongly indicate account takeover/financial harvesting:
    • Log password
    • Payment password
    • “user name”
    • “Phone Number” These are typical of phishing/malicious account enrollment used to steal both login and payment-related secrets.
  • Brand mismatch / lookalike: The HTML title is “Amazon”, but the host is amazongroup44.com with a non-Amazon TLD and no Amazon domain.
  • Non-legitimate SPA routing: The URL uses a hash route (“/#/reg?t=689221”), a common pattern in phishing kits where the attacker serves a single-page app that looks like a real service.
  • No credible Amazon identifiers: The provided HTML snippet shows no verifiable Amazon domain assets, legal notices, or other trust signals—just the login/registration UI.

Brand identification and URL check

  • Identified brand: Amazon (explicitly in the document title and visible “Sign up” registration layout).
  • Domain validation: Amazon is not served from amazongroup44.com. Therefore, the site is impersonating Amazon from an unrelated domain.

Why this is phishing

  • The combination of (1) Amazon impersonation, (2) a credential-harvesting registration form, and (3) a clearly unrelated domain is a strong phishing indicator.

Confidence is high because the page directly collects passwords (including a “Payment password”), which is extremely uncommon for legitimate third-party registration pages and is a common phishing tactic.