0/100

high Risk

helsana.club

https://helsana.club/274222101

172.67.166.153 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

19 days

HTTP

200 · 17.1s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Refund - Helsana"

Save

Domain Intelligence: helsana.club

Scanned 2 times since Mar 15, 2026, 12:19 PM UTC

⚠ High (65)

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Helsana

Vendors

28/31

Status

partial

✓ avast✓ avg✓ bitdefender✓ chainpatrol✓ eset✓ sophos✗ threatyeti✓ polyswarm✓ drweb✓ microsoft✓ norton✓ yandex✓ apple✓ brightcloud✓ netcraft✓ spamhaus✓ emsisoft✓ openphish✓ cisa✓ urlscan✓ isitphish✓ virustotal✓ phishreport✓ phishtank✓ apwg✗ urlquery✗ urlabuse✓ mcafee✓ kaspersky✓ google✓ fortiguard

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Helsana

Credential Phishing

Summary

The page at helsana.club/274222101 presents a Refund - Helsana with Helsana branding, but is hosted on a newly registered, off-brand domain helsana.club. The page title and visual UI mimic Helsana, yet the domain does not belong to Helsana, indicating impersonation and credential collection risk through a phishing flow. Off-domain submission endpoints and multiple external translator/analytics calls further support malicious use of a cloned brand presentation.

Evidence Summary

▸Observed 2 capture stage(s); canonical stage is settled_render.

▸Off-domain submission or API endpoints observed: https://translate.googleapis.com/translate_voting?client=te.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516, element.js, m=el_main_css, 24px.svg, cleardot.gif.

Capture

Stages: 2

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 1

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 21

Hosts: 8

Domains: 5

Suspicious Endpoints

hxxps://translate[.]googleapis[.]com/translate_voting?client=te

Off-Domain Posts

hxxps://translate[.]googleapis[.]com/translate_voting?client=te

Attack Techniques (5)

New domain impersonating Helsana (domain age 19 days)Cloned Helsana UI with brand colors, logo placement, and refund/identity promptsOff-domain submission/API endpoints observed (translate_voting, translateHtml) used to exfiltrate dataIncludes iframes and external JS bundles loading brand-like assets from third-party domainsSPAs with dynamic content rendering to collect user input without static forms in HTML

Indicators of Compromise (5)

▸DOMAIN: helsana.club

▸POST endpoints: https://helsana.club/cdn-cgi/rum? (204), https://translate-pa.googleapis.com/v1/translateHtml (200)

▸Off-domain API calls: https://translate.googleapis.com/translate_voting?client=te

▸External assets referencing translations and Google Translate components

▸SSL cert issued by Let's Encrypt for helsana.club (new cert) and domain created 2026-02-23

Risk AssessmentUsed in abuse reports

Abuse potential is high. The page uses Helsana branding on a brand-new domain, with a faux refund offer and a data collection form designed to capture personal details. The combination of brand impersonation, off-domain form submission, embedded iframes, and multiple external translation-related requests indicates a deliberate attempt to harvest credentials or sensitive data under the guise of a legitimate insurer. The domain age, off-brand hosting, and presence of a WAF/Cloudflare signature are consistent with phishing infrastructure meant to evade detection while presenting a credible impersonation to victims.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence