0/100

low Risk

www.loveandgifts.com

https://www.loveandgifts.com/

172.67.182.88 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

4266 days

HTTP

403 · 20.3s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Suspected phishing site | Cloudflare"

Save

Registered-domain escalation

Submit loveandgifts.com as the primary IOC, enriched with evidence from hostile subdomains like www.loveandgifts.com.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Scanner blocked by cloudflare

This scan likely captured a block/challenge page, so the AI analysis may not reflect the real site victims see.

ATO

Unknown

E-Commerce · 4/15/2026

Summary

The domain ATO resolves to a Cloudflare-protected site that presents a Cloudflare phishing warning page to scanners. The page content captured is a WAF/scan-block page rather than a genuine brand interface. Network requests show Turnstile integration and phish-bypass endpoints on Cloudflare infrastructure, with a 403 status and scanner-block context observed. No definitive credential harvesting UI or login form was observed in the captured content, but the domain appears to be attempting to bypass security checks, which is consistent with anti-scan evasion behavior.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸POST targets observed during capture: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/flow/ov1/1471918915:1775286760:GWtgvF3T879eQ_LrAbGyKhNhfMXMy3xu_ug89mOeaeY/9e6ed3a95cf7b4c6/sU_ydC_COS01J8pyeOhwwd.Nir7Ra82QjC23RPyt1v0-1775290123-1.2.1.1-82J2HOrgSzjkAhK4Fg8zw_yR7QtJh.hfIONihlukUi4ASlLzRCJTm1HQsnkU._7I.

▸Distinctive asset clues: api.js, cf.errors.css, icon-exclamation.png, 1.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 12

Hosts: 2

Domains: 2

Suspicious Endpoints

hxxps://www[.]loveandgifts[.]com/cdn-cgi/phish-bypass

Attack Techniques (2)

Phish-bypass endpoint referenced, suggesting anti-bot by designHidden form inputs detected in risk signals (potential for credential collection in actual page)

Indicators of Compromise (3)

▸Page title and content indicate suspected phishing warning from Cloudflare

▸Network requests show Cloudflare Turnstile JS and phish-bypass endpoints

▸Form in static HTML pointing to /cdn-cgi/phish-bypass with a Turnstile widget

Risk AssessmentUsed in abuse reports

The scan indicates the operator uses anti-bot protections and a Cloudflare phishing-warning page, which is a strong signal of deliberate evasion. The domain is publicly resolvable and has a valid SSL cert recently issued, but the actual phishing content could not be accessed due to the WAF block. The presence of phish-bypass endpoints and Turnstile integration suggests potential intent to gate access to a phishing surface; however, the captured content is a block page, not a credential-collection page. Recommend monitoring and further investigation to determine if the domain hosts a phishing surface when not blocked by WAF.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence