west.craft309.com

https://west.craft309.com/

104.18.18.107 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

3507 days

HTTP

200 · 23.0s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Craft309 — Peoria"

Save

Domain Intelligence: craft309.com

Scanned 2 times since May 26, 2026, 12:46 PM UTC

ℹ Low (25)

Registered-domain escalation

Submit craft309.com as the primary IOC, enriched with evidence from hostile subdomains like west.craft309.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

west.craft309.com

Unknown

E-Commerce · 6/3/2026

Summary

The page presents branding for Craft309 (Craft309 — Peoria) with a visible site title and content related to a restaurant in Peoria, IL. There is no credential collection, login form, or obvious impersonation of a major brand; the domain appears to belong to a small local business and uses Cloudflare; the visual content does not match a well-known brand. Given the evidence, there is no clear phishing or credential-theft signal from the page itself, though the analyst note mentions potential cloaking. The current data does not establish impersonation of a higher-risk target or other abuse beyond possibly cloaking behavior. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 1

Hosts: 1

Domains: 1

Observed Signals (1)

No obvious login, API endpoints, or credential harvesting surface observed in static HTML.

Observed Indicators (0)

No suspicious indicators identified

Risk AssessmentUsed in abuse reports

The scan indicates a benign-looking small business webpage (Craft309) with no credential capture or impersonation. However, the analyst notes suggest cloaking or anti-scan behavior, which can be used to evade detection. Because there is no evidence of phishing, credential theft, or abuse on this page, the risk is low for credential-related abuse, but the cloaking remark warrants monitoring for potential misuse. If future evidence shows impersonation, credential harvesting, or redirect to malicious endpoints, reclassify accordingly. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Analyst note: this target may cloak content or block scanners.).

Recommended Action

Monitor

Cross-Reference8

URL Intelligence