mass.report
Scan Intelligence Report0/100
medium Risk
coinspot-desktop.calivaro.org
https://coinspot-desktop.calivaro.org/rgpae?utm_campaign=03.03+%2F+AU+%2F+213.1+%2F+FS+329+%2F+%234&utm_content=03.03+%2F+AU+%2F+213.1+%2F+FS+329+%2F+%231&cid=03.03+%2F+AU+%2F+213.1+%2F+FS+329+%2F+%231+%E2%80%94+5&fbid=900841959001305&utm_medium=paid&utm_source=fb&utm_id=120241752010530023&utm_term=120241752010580023
IP
172.67.130.245 · Cloudflare, Inc.
Location
Toronto, Canada
Domain Age
26 days
HTTP
200 · 75.2s
SSL
Valid· WE1, Google Trust Services, US
Status
COMPLETED
Registered-domain escalation
Submit calivaro.org as the primary IOC, enriched with evidence from hostile subdomains like coinspot-desktop.calivaro.org.
KB/IOK Matches (0)—
No KB/IOK detections were recorded for this scan.
CoinSpot
Credential Phishingfinance | cryptocurrency | technology | ecommerce · 4/5/2026
Summary
The page at coinspot-desktop.calivaro.org is impersonating CoinSpot. The domain name itself includes the CoinSpot brand, and the HTML source shows a SPA-like interface with multiple image assets and scripts, likely to render a credential collection UI. Visual evidence from the screenshot indicates branding cues similar to CoinSpot, while the domain is newly registered and hosted behind Cloudflare, suggesting a typosquat/brand spoofing operation intended to harvest credentials or data.
Attack Techniques (6)
Typosquat/brand impersonation domain containing 'coinspot'Single-Page Application (SPA) rendering forms via JavaScript with no static forms in HTMLCloned UI assets loaded from legitimate-appearing paths (image assets) to mimic CoinSpot visualsExternal script loading from CDN/Cloudflare (brand-revealing request patterns) and beacon trackersNewly registered domain (26 days) used for credential harvestingSSL certificate issued to calivaro.org but domain includes CoinSpot brand name, aiding trust inflation
Indicators of Compromise (5)
▸DOMAIN: coinspot-desktop.calivaro.org (IOC: impersonation signal containing 'coinspot')
▸EXTERNAL SCRIPT: https://static.cloudflareinsights.com/beacon.min.js/… (brand cloning signals via asset loading)
▸PAGE ASSETS: image assets named with random hashes and coinspot-desktop hosted images under /img/ (indicating cloned UI)
▸SSL SAN includes calivaro.org and wildcard *.calivaro.org but the URL path and domain contain 'coinspot' (brand impersonation IOC)
▸DOMAIN AGE: 26 days (recently registered) (risk factor for phishing)
Risk AssessmentUsed in abuse reports
This site is a high-risk credential-phishing attempt. The domain name explicitly embeds a known brand (CoinSpot), and the page appears to render a CoinSpot-like interface via JavaScript assets without static forms in the initial HTML, indicating a likely SPA designed to collect user credentials. The SSL certificate is issued to calivaro.org, with the real CoinSpot branding only inferred from the domain and page content, which strongly suggests impersonation. The domain age is very young (26 days), and multiple POSTs to a rum endpoint suggest beaconing or data exfiltration attempts. The WAF/CDN blocks are not explicitly confirmed, but the presence of Cloudflare-hosted resources and a large number of network calls are consistent with modern credential-grabbing clones. Immediate action is warranted to suspend the domain and block hosting, and to report to certificate authorities if needed.
Recommended Action
Monitor
Cross-Reference8
URL Intelligence
Domain Intelligence
IP Intelligence
Public threat feed available — JSON API