zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan bc69ccde
Scan another →
CACHED Showing previous scan from 2 h ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand DPD scan id bc69ccde duration 28.58s signals 11 failing / 35
Risk score 1.00
100 / 100 · High risk
Tags
URL anatomy 74-248-32-242.cprapid.com
https :// 74-248-32-242 . cprapid . com /de/kasse.php
flagged registered domain path protocol / query
Why this verdict 13 contributing signals · model gpt-5.4-nano
×
Credential collection form
Credential collection form detected on the page
↑ risk
×
Email-auth posture (SPF/DMARC)
No DMARC record — domain trivially spoofable in phishing email
↑ risk
!
Visual similarity to known brand
55% partial similarity to DPD
↑ risk
!
CAA issuer restriction
No CAA record — any certificate authority may issue a cert for this domain (phishing infra rarely sets CAA)
↑ risk
!
DNSSEC signing
Zone is not DNSSEC-signed — phishing domains are almost never signed
↑ risk
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
↓ risk
Favicon impersonation
Favicon matches the registered owner
↓ risk
SSL certificate
Served over HTTPS · valid TLS certificate
↓ risk
Brand-in-subdomain attack
No known brand label in subdomain
↓ risk
Homoglyph attack
ASCII only · no mixed-script characters detected
↓ risk
Domain randomness (DGA/entropy)
Registrable label "cprapid" reads as pronounceable / brand-like (randomness 35%)
↓ risk
Page language
Detected page language: English (en) — best-effort
↓ risk
Credential-harvest cookie/localStorage key
Client-side storage read · 7 cookie/localStorage key(s) · none named like a credential
↓ risk
enrichment used: dns network jarm asn
Indicators of compromise 6 · click any row to copy
URL hxxps://74-248-32-242[.]cprapid[.]com/de/kasse[.]php
Host 74-248-32-242[.]cprapid[.]com
Registered domain cprapid[.]com
Brand DPD
Screenshot https://cdn.zerophish.ai/6c78b913-a892-4574-8d0e-3ff75d9fe2a6.jpg
Scan ID bc69ccde-f8f7-4222-be43-fc2b75d5f58f
Related detections 1 other scan on this registered domain
445 d ago
 PHISHING fm-att.50-6-202-102.cprapid.com view →
Detection signals 11 fail · 5 warn · 8 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
×
Credential collection form
Credential collection form detected on the page
high
!
Visual similarity to known brand
55% partial similarity to DPD
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 35 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis
D
DPD
55%
Technical profile resolved at scan time
Host 74-248-32-242.cprapid.com
Registered domain cprapid.com
Scheme https
Content length 80170 B
HTTP 200 · text/html
DMARC policy none
SPF policy none
MX records none
Analyst summary AI-generated
Initial scan heuristic + LLM

The page presents itself as a DPD checkout (“💳 DPD Kasse”) where you must “Geben Sie Ihre Kartendaten ein” (enter your card details) and then “Pay securely.” It includes a full payment/credential collection form with fields for cardholder name, card number, expiration date, and “Security code (CVV),” plus payment method branding (Visa/Mastercard/Amex/Maestro) and badges like “PCI DSS compliant” and “3D Secure,” indicating a classic card-skimming phishing flow.

A major red flag is the hosting domain: the URL is 74-248-32-242.cprapid.com/de/kasse.php, which is not a DPD-registered domain (DPD uses dpd.com in the page’s own footer links and email). The mismatch between the DPD branding in the UI and the non-DPD domain used to serve the payment form strongly suggests the site is impersonating DPD to harvest payment data.

Overall, the combination of a believable brand-themed checkout UI, direct collection of card credentials, and a suspicious non-brand domain hosting the form leads to a phishing verdict with medium confidence.

🤖 Agent run #1 autonomous investigation

This is a confirmed DPD-branded phishing page hosted on 74-248-32-242.cprapid.com (IP 74.248.32.242). The frontend at /de/kasse.php collects full credit card details (cardholder name, card number, expiry date, CVV) under the guise of a DPD parcel payment. Upon submission, the card data is POSTed in plaintext to /de/action.php on the same host, which then redirects to /de/auth.php — a fake “Payment in progress” stall screen showing a fabricated transaction ID. No off-host credential exfiltration was observed; the attacker stores credentials on the same server. The page is tracked by multiple analytics services (dtscout.com, mrktmtrcs.net, amung.us) that profile victims. Legitimate DPD assets from www.dpd.com are hotlinked to enhance the illusion of authenticity.