zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan ba5ee735
Scan another →
CACHED Showing previous scan from 15 d ago. Click Reanalyze to run a fresh scan.
PHISHING · MEDIUM CONFIDENCE

Phishing detected

brand Unknown scan id ba5ee735 duration 13.29s signals 1 failing / 12
Risk score 0.70
70 / 100 · High risk
Tags
URL anatomy 210.71.197.175
http :// 210.71 . 197 . 175 /am.html
flagged registered domain path protocol / query
Indicators of compromise 5 · click any row to copy
URL hxxp://210[.]71[.]197[.]175/am[.]html
Host 210[.]71[.]197[.]175
Registered domain 197[.]175
Screenshot https://cdn.zerophish.ai/64299f83-c14a-4d12-a7d4-74430d966a9f.jpg
Scan ID ba5ee735-5bdf-4471-985d-29c6e5df5e67
Detection signals 1 fail · 0 warn · 6 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
Credential collection form
No credential collection form on visible content
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
×
SSL certificate
Served over plaintext HTTP
low
DNS reputation
Awaiting analysis
medium
showing 8 of 12 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis

No brand impersonation signals available.

Technical profile resolved at scan time
Host 210.71.197.175
Registered domain 197.175
Scheme http
Content length 44178 B
HTTP 200 · text/html
Analyst summary AI-generated
Initial scan heuristic + LLM

What the page presents

The page is a Cloudflare “Suspected Phishing” block/landing page stating the site was reported for potential phishing.

Suspicious elements observed

  • Fake/blocked phishing attempt bypass UI: A form posts to "/cdn-cgi/phish-bypass" with a disabled bypass button labeled “Ignore & Proceed”. This pattern is used by Cloudflare to gate a user from a suspected phishing destination.
  • Security warning framing: The page explicitly says “This website has been reported for potential phishing.” and defines phishing (“attempts to steal sensitive information…”). This is the opposite of a typical phishing page (it’s warning the user), but it’s still the primary indicator that the original destination is untrusted.
  • No credential collection present in provided HTML/OCR: There are no login/password fields or other forms in the snippet besides the phish-bypass control.

Brand / URL relationship

  • Identified brand presented: None (no PayPal/Google/etc. branding in the supplied content). The only brand reference is Cloudflare (e.g., title “Suspected Phishing | Cloudflare” and footer link).
  • URL legitimacy: The URL http://210.71.197.175/am.html is a raw IP over HTTP, not a well-formed brand domain. While the block itself is Cloudflare-branded, the underlying site being accessed is on an unusual IP, which is commonly associated with phishing infrastructure.

Verdict

Phishing (or phishing attempt blocked): The content shown is a Cloudflare warning page indicating the destination was reported for potential phishing. Because the snippet lacks any credential form, this specific page likely does not harvest credentials itself; however, the presence of Cloudflare’s phishing block and the IP-based, non-brand HTTP URL strongly suggest the requested site is malicious/untrusted.