This tool performs deep phishing/fraud detection on a single URL by inspecting its structure. It is intentionally complementary to the URL Validator: the validator checks basic protocol/IP/XSS signals, while this tool focuses on the deception techniques attackers use to make a malicious URL look legitimate.
What it checks (6 dimensions):
- IDN Homograph (Mixed Script) 🔴 — Internationalized Domain Names (punycode
xn--) that mix scripts (e.g. Latin + Cyrillic). This is the "аpple.com" attack: a Cyrillic "а" looks identical to a Latin "a" but resolves to a different domain.
- Embedded Credentials (userinfo) 🔴 — the
user:pass@host trick: https://[email protected] puts the brand before "@", but the REAL destination is evil.com. Browsers hide the userinfo, making this very deceptive.
- High-Risk TLD 🟠 — TLDs frequently abused for spam/scams (cheap/free registration:
.tk .xyz .top .click and dozens more). Not inherently malicious, but a strong caution signal.
- Encoding Anomalies 🟠/🟡 — double percent-encoding (
%2561), encoded protocol sequences, and C0 control characters — all used to smuggle payloads past WAFs or fool readers.
- Subdomain Deception 🟠 — a brand name placed in a subdomain position (
paypal.security-update.com); the registrable domain is security-update.com, unrelated to PayPal.
- Numeric/IP Obfuscation 🟠 — raw IP hosts (
192.168.1.1) or obfuscated numeric forms (hex/decimal) that hide the destination.
Risk score. Each finding adds to a 0-100 score (critical 35, high 20, medium 10, low 4), mapped to Low/Medium/High/Critical.
Limitations. This is static structural analysis only — no network request is made, so it cannot detect newly-registered malicious domains, compromised legitimate sites, or redirect chains. It does NOT replace real-time threat intelligence like Google Safe Browsing. A "Low" rating means no structural phishing signals were found, NOT that the destination is safe.