https://www.superbahis1968.com/bahis
204.10.194.69 · Advin Services LLC
Nuremberg, Germany
0 days ⚠
200 · 18.7s
Valid· YE1, Let's Encrypt, US
COMPLETED
Linked Phishing Report
This scan is attached to a vendor submission report
Brand
Apple
Vendors
30/31
Status
partial
Registered-domain escalation
Submit superbahis1968.com as the primary IOC, enriched with evidence from hostile subdomains like www.superbahis1968.com.
No KB/IOK detections were recorded for this scan.
Scanner blocked by cloudflare
This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.
technology | finance | ecommerce | other · 7/19/2026
The page indicates a new domain (created 2026-06-12) hosting a Turkish-labeled verification/safety page, but the scan data shows signs of credential-capture activity at non-static endpoints. HTML static content shows a generic “Bir dakika lütfen...” with a SPA pattern suggested by zero static forms and a POST to /__f5_verify, plus repeated /__f5cf/status checks and a POST target to /__f5_verify. This combination suggests potential credential collection via a dynamic form rendered by JavaScript, though the actual form is not present in static HTML. The domain age and fresh SSL cert add risk signals, but there is no definitive evidence of impersonation of a known brand on the page itself within the static content provided. The scanner was blocked by a WAF (Cloudflare) during the run, limiting full content visibility, but non-page signals still indicate potential abuse intent on a new domain.
Capture
Stages: 2
Canonical: Settled Render
Changed: No
Credential Signals
Forms: 0
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 4
Hosts: 1
Domains: 1
Suspicious Endpoints
hxxps://www[.]superbahis1968[.]com/__f5cf/status
The domain is extremely new with a valid yet short-lived Let's Encrypt certificate, and the page appears to implement a dynamic verification flow that could be used to collect credentials via a SPA. The POST to __f5_verify and repeated status checks imply an active verification mechanism, which could be part of a phishing or credential capture setup on a fresh domain. The scanner was blocked by a WAF, which is a common tactic used by malicious operators to evade automated detection. Given these signals, the page should be treated as suspicious and warrant further abuse investigation and potential takedown actions if corroborated with credential harvesting behavior.
Block URL