post-delivery.info

https://post-delivery.info

104.21.80.221 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

42 days

HTTP

526 · 26.0s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "post-delivery.info | 526: Invalid SSL certificate"

Save

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

ATO

Unknown

technology | finance | ecommerce | other · 4/15/2026

Summary

The domain ATO is presenting a Cloudflare 526 SSL certificate error page. The final URL shows a Cloudflare block page rather than the target phishing content. WHOIS indicates a recently registered domain (42 days) with a WebNic.cc registrar, and the SSL cert is valid but the site currently serves an SSL error page rather than legitimate content. There is evidence suggesting the scanner was blocked by WAF (Cloudflare) during analysis, but non-page signals (domain age, hosting via Cloudflare, and the suspicious placeholder branding) do not confirm credential theft or impersonation on this page itself.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸Distinctive asset clues: main.css, cf-icon-ok.png, cf-icon-browser.png.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 7

Hosts: 1

Domains: 1

Observed Signals (0)

Observed Indicators (1)

▸No login form or credential fields in static HTML

Risk AssessmentUsed in abuse reports

The current page shows a Cloudflare 526 invalid SSL certificate error rather than a credential harvesting flow. While there is no static form in the HTML, the SPA possibility means credential collection could be rendered client-side. The presence of a recently registered domain (42 days) under a registrar with reported abuse, and an active WAF evasion signal, raise concern for potential abuse. However, there is insufficient direct evidence of phishing or credential theft on the loaded page content itself; the observed block and SSL misconfiguration suggest non-productive status or preparatory steps for malicious use. Recommend monitoring and further investigation, including domain reputation checks and origin server validation.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence