zerophish / console
Register Sign in
URL THREAT INTELLIGENCE · v0.5.0 · OPERATIONAL

The full anatomy of a phishing site,
one URL at a time.

ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.

scan
100 scans / day · free · typical scan 2–4 s ·
try
Result scan f66e2502
Scan another →
CACHED Showing previous scan from 14 d ago. Click Reanalyze to run a fresh scan.
PHISHING · HIGH CONFIDENCE

Phishing detected

brand Amazon scan id f66e2502 duration 5.8s signals 1 failing / 12
Risk score 0.90
90 / 100 · High risk
Tags
URL anatomy amazongroup44.com
https :// amazongroup44 . com /
flagged registered domain path protocol / query
Indicators of compromise 5 · click any row to copy
URL hxxps://amazongroup44[.]com/#/reg?t=689221
Host amazongroup44[.]com
Brand Amazon
Screenshot https://cdn.zerophish.ai/d39b5f14-4043-4fd0-9c03-eb9b41686850.jpg
Scan ID f66e2502-2e75-4e8b-9581-77dc716d5c62
Related detections 1 other scan on this registered domain
12 d ago
 PHISHING amazongroup44.com view →
Detection signals 1 fail · 0 warn · 6 pass
Brand typo-squat detected
No similar legitimate brand within edit-distance 2
critical
Domain age
Awaiting analysis
high
Threat intel blocklists
Awaiting analysis
critical
×
Credential collection form
Credential collection form detected on the page
high
Visual similarity to known brand
Brand presentation matches the registered owner
high
Favicon impersonation
Favicon matches the registered owner
medium
SSL certificate
Served over HTTPS · valid TLS certificate
low
DNS reputation
Awaiting analysis
medium
showing 8 of 12 ·
Captured page from scan
Captured page
screenshot · captured at scan live page render
Brand impersonation visual + DOM analysis
A
Amazon
amazon.com
20%
Technical profile resolved at scan time
Host amazongroup44.com
Registered domain amazongroup44.com
Scheme https
Content length 303826 B
HTTP 200 · text/html
Analyst summary AI-generated
Initial scan heuristic + LLM

Assessment: Likely phishing

What the page presents as

The page title is “Amazon” and the UI shows a “Sign up” flow. However, the URL is https://amazongroup44.com/, which is not Amazon’s real domain.

Suspicious elements found (with concrete signals)

  • Credential/PII collection form: The HTML contains a registration form (<form id="regForm">) with fields for sensitive data:
    • “Log password”
    • “Payment password”
    • “Phone Number” and “user name” Collecting a payment password is especially indicative of credential harvesting.
  • Brand impersonation mismatch (URL vs presented brand): The page claims to be Amazon (title “Amazon”), but the host is amazongroup44.com (not an Amazon-owned domain such as amazon.com). This is a strong phishing indicator.
  • JavaScript app shell / generic UI components: The content looks like a scripted single-page app (e.g., “Loading…”, # /reg route), which is common in phishing kits that render fake login/registration UIs.
  • Unusual domain structure / path: The URL includes a fragment and query-like parameter: /#/reg?t=689221. While fragments can be used legitimately, combined with the off-brand domain and credential fields, it increases suspicion.

Brand identification & domain check

  • Identified brand: Amazon (from <title>Amazon</title> and the “Sign up” page styling).
  • Domain legitimacy: The URL’s domain is amazongroup44.com, which does not match Amazon’s real registered domains. A credible “Amazon” sign-up page on a non-Amazon domain is a major red flag.

Verdict logic

A legitimate Amazon page would be served from Amazon’s real domains and would not ask users to enter a payment password as part of a generic “Sign up” form on an unrelated domain. The combination of:

  1. off-brand domain, and
  2. a form collecting multiple credentials, strongly indicates phishing.

Confidence

High confidence due to explicit credential collection and clear brand/domain impersonation.