http://antiscam.sportbot.live
172.67.196.212 · Cloudflare, Inc.
Toronto, Canada
27 days
200 · 30.6s
Valid· E7, Let's Encrypt, US
COMPLETED
Registered-domain escalation
Submit sportbot.live as the primary IOC, enriched with evidence from hostile subdomains like antiscam.sportbot.live.
No KB/IOK detections were recorded for this scan.
technology | finance | ecommerce | other · 7/19/2026
The page presents an AntiScam access portal branded as 'AntiScam' with Italian text and Telegram login widgets. Visual branding shows AntiScam, not a well-known consumer brand, and the page uses Telegram’s login widgets and an embedded Telegram OAuth iframe, suggesting an account login flow via Telegram. While the UI strongly implies a credential collection portal, there is insufficient evidence to conclusively classify it as credential phishing aimed at a specific brand; however, the off-domain authentication endpoints and the SPA-rendered login UI indicate potential credential capture risk and suspicious behavior for a protected-access service.
Capture
Stages: 3
Canonical: Late Render (+3s)
Changed: No
Credential Signals
Forms: 0
Password fields: 0
Late-stage login UI: No
Resource Signals
Resources: 12
Hosts: 4
Domains: 3
Suspicious Endpoints
hxxps://telegram[.]org/js/telegram-web-app.js
hxxps://telegram[.]org/js/telegram-widget.js?22
hxxps://oauth[.]telegram[.]org/embed/antiscamrobot?origin=http%3A%2F%2Fantiscam.sportbot.live&return_to=http%3A%2F%2Fantiscam.sportbot.live%2F&size=large&request_access=write
hxxp://antiscam[.]sportbot[.]live/auth/webapp
Off-Domain Posts
hxxps://telegram[.]org/js/telegram-web-app.js
hxxps://telegram[.]org/js/telegram-widget.js?22
hxxps://oauth[.]telegram[.]org/embed/antiscamrobot?origin=http%3A%2F%2Fantiscam.sportbot.live&return_to=http%3A%2F%2Fantiscam.sportbot.live%2F&size=large&request_access=write
No specific IOCs identified in source
The page demonstrates strong signals of credential collection via an embedded Telegram login mechanism within a gated page. The presence of Telegram login widgets and an embedded OAuth iframe, combined with a newly registered domain and off-domain authentication endpoints, constitutes a credible phishing surface seeking Telegram-based authentication. The combination of a custom login surface branded as AntiScam, usage of Telegram as the primary auth vector, and dynamic JavaScript rendering support credential capture. Given these indicators, this site should be treated as potentially abusive and monitored closely; actions recommended depend on organizational policy, with suspend/block potentially warranted if abuse is confirmed. The information indicates a deliberate attempt to harvest credentials through a branded gate and external auth components.
Block URL