0/100

high Risk

tr.betboogir.live

https://tr.betboogir.live/

104.21.4.186 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

0 days ⚠

HTTP

200 · 52.2s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Redirect Chain (2 hops)

302https://tr.betboogir.live/

301https://up24.live/mgXgQ

Visual Evidence

Zoom

Title: "BETBOO | Elitbahis Güvenli Geçiş & Kampanyalar"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

betboo (Elitbahis branding visible on page content)

Vendors

28/31

Status

partial

✗ norton✓ sophos✓ brightcloud✓ microsoft✓ fortiguard✓ chainpatrol✓ eset✓ polyswarm✓ avast✓ avg✓ kaspersky✗ threatyeti✓ yandex✗ bitdefender✓ apple✓ netcraft✓ spamhaus✓ emsisoft✓ urlscan✓ cisa✓ isitphish✓ phishreport✓ openphish✓ phishtank✓ apwg✓ urlquery✓ virustotal✓ urlabuse✓ drweb✓ mcafee✓ google

Registered-domain escalation

Submit betboogir.live as the primary IOC, enriched with evidence from hostile subdomains like tr.betboogir.live.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

betboo (Elitbahis branding visible on page content)

Credential Phishing

Summary

The page presents BETBOO/Elitbahis branding and a Turkish UI motif but is hosted on a newly registered, non-official domain (tr.betboogir.live) that redirects to getverified3.top/betboo.html. The final URL and embedded assets indicate imitation of a known betting brand (Elitbahis/Betboo) with an SPA-like structure that may render credential forms via JavaScript. The presence of dynamic credential capture indicators (POSTs to a challenge platform URL, multiple external script/assets, and an iframe-like setup) supports potential credential harvesting rather than legitimate first-party content. The overall setup, including new domain age, rapid redirect chain, and off-brand hosting, strongly suggests impersonation/phishing activity rather than a benign first-party page.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://getverified3.top/cdn-cgi/challenge-platform/h/g/jsd/oneshot/b0a7532ac8ec/0.9467440970751946:1776673367:xVG1JVx1Rzf4FNacgvdPel36NkXmMyhN6Ch9rvi3KFo/9ef2f70fec30b11e, https://getverified3.top/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516, main.js, all.min.css, css2, 468x60_2.gif, 728x90.gif.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 18

Hosts: 7

Domains: 7

Attack Techniques (6)

Brand impersonation indicators (Betboo/Elitbahis branding on a non-official domain)SPA-style rendering without static forms (forms likely injected by JS bundles)Suspicious exfiltration targets (POST to getverified3.top/cdn-cgi/challenge-platform/... and rum endpoint)Redirection chain to a separate domainNew domain age with Cloudflare-proxied hostingIframes and multiple external assets to simulate legitimate UI

Indicators of Compromise (8)

▸Page title: BETBOO | Elitbahis Güvenli Geçiş & Kampanyalar

▸Hostname: tr.betboogir.live (non-official domain)

▸Final URL: https://getverified3.top/betboo.html

▸SSL cert issued recently (Apr 2026) to tr.betboogir.live

▸POST requests to getverified3.top/cdn-cgi/challenge-platform/h/g/jsd/oneshot/... and getverified3.top/cdn-cgi/rum?

▸External script root: static.cloudflareinsights.com/beacon.min.js

▸Assets and banners referencing betting/Elitbahis branding on a non-official domain

▸Scanner block note indicates WAF evasion attempts

Risk AssessmentUsed in abuse reports

The domain tr.betboogir.live is extremely new (0 days old) and resolves through a redirect chain to a separate domain getverified3.top that hosts a poker-like Betboo/Elitbahis styled page. The page HTML indicates an SPA structure without static forms, suggesting credential capture via dynamically loaded UI. The presence of suspicious POST targets and off-domain exfiltration endpoints, combined with a WAF-block context, strongly indicates an attempted phishing or credential harvesting operation. Given the branding mimicry and redirect flow, this is high-risk for user credential theft. Monitor and consider blocking suspension actions.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence