0/100

medium Risk

super.bahis-resmiadresi.vip

https://super.bahis-resmiadresi.vip/

104.21.80.224 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

1 day ⚠

HTTP

403 · 22.6s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Screenshot of super.bahis-resmiadresi.vip

Zoom

Title: "Attention Required! | Cloudflare"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

ATO

Vendors

29/31

Status

partial

✓ bitdefender✓ microsoft✗ norton✓ yandex✓ brightcloud✓ sophos✓ eset✓ polyswarm✓ chainpatrol✓ avast✓ netcraft✓ openphish✓ apple✓ spamhaus✓ isitphish✓ cisa✓ phishtank✓ virustotal✓ mcafee✓ apwg✓ emsisoft✓ urlquery✓ urlscan✓ phishreport✓ urlabuse✗ drweb✓ avg✓ kaspersky✓ google✓ threatyeti✓ fortiguard

Registered-domain escalation

Submit bahis-resmiadresi.vip as the primary IOC, enriched with evidence from hostile subdomains like super.bahis-resmiadresi.vip.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

ATO

Unknown

gambling | technology | finance · 6/3/2026

Summary

The scan target shows a Cloudflare 403 block page for superbahis2196.com, indicating the scanner was blocked and could not access the actual content. However, the final URL redirects to a domain that appears to clone a betting site branding (bahis) and discusses phishing-like behavior suggested by the analyst notes and redirection to a fake IBAN payment form. There is evidence of an impersonation setup on a separate domain masquerading as a branded betting site, but the visible page in this scan is a Cloudflare block page, not the phishing page itself. The data suggests potential first-party cloaking and impersonation risk, but the captured content does not conclusively show credential harvesting on the scanned page itself due to the WAF block. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Redirection to "https://www.superbahis2196.com/bahis" this fake addres which is faking original brand web page but totally phishing users with fake IBAN payment information. Prove https://ibb.co/HvjxJBp Analyst note: th...

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://superbahis2196.com/cdn-cgi/rum?.

▸Distinctive asset clues: v833ccba57c9e4d2798f2e76cebdd09a11778172276447, cf.errors.css, browser-bar.png, cf-no-screenshot-error.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 8

Hosts: 3

Domains: 3

Attack Techniques (1)

Domain redirection to a suspected impersonation/clone site

Indicators of Compromise (1)

▸Analyst note citing phishing/IBAN fake payment information

Risk AssessmentUsed in abuse reports

The domain ATO is extremely new (1 day) and is using Cloudflare as a fronting WAF. The final redirect to superbahis2196.com plus the analyst note describing a fake IBAN payment flow strongly suggests malicious intent including credential/phishing infrastructure and payment information theft. However, the scanner was BLOCKED by Cloudflare, so the actual phishing page could not be verified in this capture. The combination of a new domain, redirect to a clone site, and explicit phishing-related narrative indicates a high likelihood of abuse and potential credential or payment data theft activity. Recommend treating as high risk and taking defensive action pending full content access. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Redirection to "https://www.superbahis2196.com/bahis" this fake addres which is faking original brand web page but totally phishing users with fake IBAN payment information. Prove https://ibb.co/HvjxJBp Analyst note: th...).

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence