https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://nz.ua/&ved=2ahUKEwi5qMy5npWVAxVcKxAIHSdrHfUQFnoECA8QAQ&sqi=2&usg=AOvVaw15PQiT4an2WLUVovmPl_Sd
142.251.156.119 · Google LLC
Mountain View, United States
10505 days
200 · 85.9s
Valid· WR2, Google Trust Services, US
COMPLETED
Domain Intelligence: google.com
Scanned 5 times since Feb 14, 2026, 10:58 AM UTC
Registered-domain escalation
Submit google.com as the primary IOC, enriched with evidence from hostile subdomains like www.google.com.
No KB/IOK detections were recorded for this scan.
education | technology · 7/19/2026
The page presents branding for nz.ua with Ukrainian text and login UI. However, the final URL is nz.ua, not a well-known external brand, and the screenshot shows a login button and credential fields suggesting a sign-in flow. The evidence indicates a legitimate-looking login surface on nz.ua itself rather than impersonation of a separate first-party brand. Despite that, the presence of a login form, password field, and multiple external analytics/ads scripts on a page that appears to be a landing site could be used for credential collection if redirected or misused. The domain appears legitimate and aligns with the nz.ua brand in the page content; there is no clear impersonation of another brand in the captured signals. Given the page content, this is best categorized as potential credential collection activity on nz.ua, but not impersonation of a different brand.
Capture
Stages: 1
Canonical: Settled Render
Changed: No
Credential Signals
Forms: 2
Password fields: 1
Late-stage login UI: No
Resource Signals
Resources: 77
Hosts: 9
Domains: 8
Suspicious Endpoints
hxxps://nz[.]ua/login
hxxps://nz[.]ua/account/forgot-password
The scan shows a legitimate-looking login surface on the nz.ua domain, with password fields and POST endpoints for login and forgot-password, along with external analytics/ads integrations. There is no clear indication of impersonation of a separate brand in the visible UI; the branding matches nz.ua. However, credential-collection workflows on landing pages can be abused if misused or paired with spoofed redirects. The presence of a login widget and password field warrants cautious monitoring for potential credential harvesting attempts, especially if additional domain similarity signals emerge or if the site redirects to a deceptive login surface on a different domain. Recommend ongoing monitoring and verification of the site's authentication endpoints and scripts for abuse potential.
Monitor