0/100

high Risk

sereneosa.com

https://sereneosa.com/

104.21.74.240 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

212 days

HTTP

200 · 122.8s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Google"

Save

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Google

Credential Phishing

technology · 4/29/2026

Summary

The page on sereneosa.com displays a Google branding with the Google logo, page title, and a UI surface resembling Google's search page. The final URL redirects to google.com, and the HTML shows explicit Google assets (fonts, scripts, and gen_204 endpoints) being loaded. This suggests impersonation (a typosquatted domain presenting Google branding) aiming to capture credentials or user interactions under Google’s guise, despite the domain not being an official Google domain. The presence of off-domain API calls and the final redirect to google.com further supports a phishing impersonation scenario rather than legitimate first-party content.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Off-domain submission or API endpoints observed: https://sereneosa.com/homeapi/collect?store_id=115864.

▸Distinctive asset clues: gtag.js, public.js, quest_theme.css, public.css, 4a105fb044278856a5b9aec485719634.png, banner_loading.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 56

Hosts: 9

Domains: 5

Suspicious Endpoints

hxxps://sereneosa[.]com/homeapi/collect?store_id=115864

hxxps://www[.]google[.]com/search

Off-Domain Posts

hxxps://sereneosa[.]com/homeapi/collect?store_id=115864

Attack Techniques (4)

Brand impersonation through page title and logos on a non-official domainCredential or data collection surface implied by impersonation and external endpointsRedirection to a legitimate brand domain (Google) to blend traffic and analyticsSPA-like behavior inferred from heavy external script usage and dynamic content

Indicators of Compromise (7)

▸Domain serenityosa.com with page title Google

▸Final URL: https://www.google.com/?zx=1777139847660

▸Brand assets and scripts referencing Google (gtag.js, xjs, fonts from fonts.gstatic.com, gen_204 endpoints)

▸POST to https://sereneosa.com/homeapi/collect?store_id=115864

▸Off-domain submission/API endpoints observed

▸Hidden form inputs detected

▸High external script count

Risk AssessmentUsed in abuse reports

The scan indicates a high probability of impersonation phishing: the domain sereneosa.com presents Google branding (title, logo in screenshot, and assets) but is not the official Google domain. The page redirects to google.com, loads Google resources, and performs a POST to a non-Google endpoint (homeapi/collect) on the suspicious domain, which is a classic pattern for credential theft or data harvesting via impersonation. This warrants treating the domain as a malicious impersonation attempt and taking action to prevent victims from interacting with it. Monitor and consider blocking the URL, given the clear impersonation signals and abuse potential.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence