zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan a726f852
Scan another →
CACHED Showing previous scan from 3 h ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Instagram scan id a726f852 duration 21.91s signals 2 failing / 15
Risk score 0.86
86 / 100 · High risk
Tags
URL anatomy canburnlikeacigarette.github.io
https :// canburnlikeacigarette . github . io /vibexarr/
flagged registered domain path protocol / query
Why this verdict 8 contributing signals · model gpt-5.4-nano
×
Visual similarity to known brand
92% structural similarity to Instagram
↑ risk
×
Email-auth posture (SPF/DMARC)
No DMARC record — domain trivially spoofable in phishing email
↑ risk
Brand typo-squat detected
Registered brand domain
↓ risk
Credential collection form
No credential collection form on visible content
↓ risk
Favicon impersonation
Favicon matches the registered owner
↓ risk
SSL certificate
Served over HTTPS · valid TLS certificate
↓ risk
Brand-in-subdomain attack
No known brand label in subdomain
↓ risk
Homoglyph attack
ASCII only · no mixed-script characters detected
↓ risk
enrichment used: dns network jarm asn
Indicators of compromise 6 · click any row to copy
URL hxxps://canburnlikeacigarette[.]github[.]io/vibexarr/
Host canburnlikeacigarette[.]github[.]io
Registered domain github[.]io
Brand Instagram
Screenshot https://cdn.zerophish.ai/e8a94a31-0ea5-41ec-b453-e681340a6ab8.jpg
Scan ID a726f852-7149-4e51-830d-a8633f5f1df1
Related detections 1 other scan on this registered domain
531 d ago
 PHISHING app-trzor-suite-cdn.github.io view →
Detection signals 2 fail · 0 warn · 6 pass
Brand typo-squat detected
Registered brand domain
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
×
Visual similarity to known brand
92% structural similarity to Instagram
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 15 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation social
I
Instagram
instagram.com
92%
Technical profile resolved at scan time
Host canburnlikeacigarette.github.io
Registered domain github.io
Scheme https
Content length 11600 B
HTTP 200 · text/html
DMARC policy none
SPF policy strict
MX records none
Analyst summary AI-generated
Initial scan heuristic + LLM

Verdict: Phishing (High confidence)

This page presents itself as an Instagram login/registration screen (HTML title and visible brand label: “Instagram”), but it is served from an unrelated GitHub Pages domain: canburnlikeacigarette.github.io. That domain does not match Instagram’s real, registered web properties.

Suspicious elements observed

  • Impersonation of a major brand: The UI uses Instagram-style wording and branding (e.g., large “Instagram” logo text and “Masuk” / “Daftar” flows).
  • Credential-harvesting interface risk: The page contains login/register UI sections (“formLogin” with a “Masuk” button calling onclick="login()"), plus typical account actions like “Lupa sandi?” (forgot password). Even though the simplified HTML does not show explicit input fields, this kind of page commonly captures credentials via client-side scripts.
  • Social login lure: It offers “Masuk dengan Facebook” and a Facebook-themed registration button (“Daftar dengan Facebook”). Using social-login branding can help users trust the page and proceed without scrutinizing the domain.
  • Non-official hosting / mismatched URL: The URL is under a random GitHub Pages path (/vibexarr/) rather than a first-party Instagram domain (e.g., instagram.com).
  • Use of placeholder links: Multiple links use href="#", which is typical of mockups that rely on JavaScript to perform actions (often including credential submission).

Brand/URL relationship

  • Presented brand: Instagram.
  • Actual domain: canburnlikeacigarette.github.io (GitHub Pages). This is not Instagram’s official domain, so the page’s identity does not align with the hosting infrastructure.

Why this is likely phishing

A cloned Instagram auth page hosted on an unrelated domain, combined with login/forgot-password flows and social-login prompts, is a strong pattern for credential theft or account compromise. Due to the clear brand impersonation and domain mismatch, the risk is high.