0/100

medium Risk

x.com

https://x.com/infodinero

162.159.140.229 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

12060 days

HTTP

200 · 28.0s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Andrew Hensen (@infodinero) / X"

Save

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

X (formerly Twitter)

Unknown

Technology · 4/15/2026

Summary

The page at x.com/infodinero presents UI elements and network activity that mimic X/Twitter branding and structure, including a profile header for 'Andrew Hensen' and a banner-style UI. However, the URL is under x.com, which is the official domain for X; the displayed content appears to be a profile page rather than a credential collection form. The evidence includes off-domain API submission endpoints (e.g., https://appleid.cdn-apple.com/... and interactions with https://api.x.com/1.1/graphql/user_flow.json) and an SPA-style rendering with dynamic scripts, but there is no static login form in the initial HTML, and no explicit credential capture form identified in the static source. The risk indicators (typosquat warning in the score, iframe presence, off-domain endpoints) exist but the page visually aligns with X’s brand and domain ownership via x.com, making impersonation claims uncertain without more definitive credential-phishing signals on the rendered content. The presence of dynamic credential-like flows on an official domain could indicate abuse if credential theft is active, but current static analysis does not confirm a phishing UI on this domain.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Off-domain submission or API endpoints observed: https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js.

▸Distinctive asset clues: en.b59e63fa.js, vendor.f1dc7e4a.js, style, 26a0.svg.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 118

Hosts: 7

Domains: 5

Suspicious Endpoints

hxxps://appleid[.]cdn-apple[.]com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js

Off-Domain Posts

hxxps://appleid[.]cdn-apple[.]com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js

Observed Signals (1)

Single-Page Application (SPA) rendering with dynamic credential forms

Observed Indicators (1)

▸Network: POSTs to https://api.x.com/1.1/graphql/user_flow.json and onboarding/sso_init.json (credential/auth related endpoints on official domain)

Risk AssessmentUsed in abuse reports

The scan shows an official-domain X page rendering a user profile with a modern SPA approach and signs of credential-related flows (GraphQL user_flow, onboarding sso_init) on the official domain. While there is an iframe pointing to Google Sign-In and a reference to Apple authentication, these elements are commonly used on legitimate sign-in or onboarding experiences. The presence of off-domain scripts and dynamic content warrants caution, as it could reflect legitimate third-party authentication flows or potential abuse on the surface of a first-party site. No definitive credential-harvesting UI is confirmed in the static HTML, but the combination of dynamic forms and external auth scripts means monitoring is advisable. The page appears to be first-party branding rather than impersonation, but the risk score and off-domain calls justify ongoing observation for potential abuse.

Recommended Action

Monitor

Cross-Reference8

URL Intelligence