0/100

medium Risk

tr.superbahis5.live

https://tr.superbahis5.live/

172.67.134.91 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

0 days ⚠

HTTP

200 · 42.4s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Redirect Chain (2 hops)

302https://tr.superbahis5.live/

301https://up724.com/zIhwh

Visual Evidence

Zoom

Title: "Süperbahis | Elitbahis Güvenli Geçiş & Kampanyalar"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

getverify39.top

Vendors

28/31

Status

partial

✗ brightcloud✓ avg✓ drweb✓ eset✗ norton✓ microsoft✓ sophos✓ virustotal✗ bitdefender✓ yandex✓ polyswarm✓ apple✓ isitphish✓ chainpatrol✓ avast✓ apwg✓ urlquery✓ openphish✓ cisa✓ urlscan✓ emsisoft✓ phishreport✓ netcraft✓ spamhaus✓ phishtank✓ urlabuse✓ google✓ mcafee✓ threatyeti✓ kaspersky✓ fortiguard

Registered-domain escalation

Submit superbahis5.live as the primary IOC, enriched with evidence from hostile subdomains like tr.superbahis5.live.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

getverify39.top

Unknown

finance | technology | ecommerce | gambling | other · 6/3/2026

Summary

The page presents Süperbahis branding visually (title in Turkish) but the final URL is getverify39.top/superbahis.html, which is a different domain from the purported brand. The homepage appears to render a visually branded layout mimicking a gambling site, with SPA-like behavior and dynamic credential collection risk signals, including a monitored redirect chain and an off-domain POST beacon. There is no static login form in the HTML, but the SPA architecture and external script loading (Cloudflare beacon) suggest potential credential collection via dynamically rendered forms. The evidence strongly indicates impersonation attempts to leverage Süperbahis branding on a separate, new domain, with aggressive redirection and off-domain data exfiltration signals, rather than a clean first-party page hosting normal content.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://getverify39.top/cdn-cgi/rum?.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516, all.min.css, css2, 468x60_2.gif, 728x90.gif.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 15

Hosts: 7

Domains: 7

Observed Signals (3)

Brand impersonation through visual cloning of Süperbahis siteSPA-like behavior with credential capture potential in dynamically rendered UIOff-domain data exfiltration endpoint (cdn-cgi/rum) observed

Observed Indicators (1)

▸SPA behavior inferred from 0 static login forms in HTML but active credential UI via JS

Risk AssessmentUsed in abuse reports

The scan shows strong impersonation signals: a brand appears to be Süperbahis but is hosted on a new, unrelated domain getverify39.top with a redirect chain and SPA-based credential capture potential. The presence of dynamic forms that render via JavaScript, a 0-form HTML surface, and an off-domain POST beacon to a CDN-like endpoint indicate potential credential collection or data exfiltration. The SSL certificate is newly issued and the domain age is 0 days, increasing risk. This is consistent with phishing-style impersonation rather than benign first-party hosting, and warrants action to suspend or block the domain to prevent potential credential theft. The page also shows a WAF-like block page behavior in the data (POST to rum endpoint) suggesting anti-scan measures, which further supports malicious intent.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence