Is sportdafa.net safe?

encoded payload

suspicious base64-like blobs detected in page content

cloaking

Page conditionally redirects based on referrer or user-agent

brand impersonation

Site sportdafa.net fully impersonates the legitimate Dafabet brand (dafabet.com). It replicates Dafabet's logo, branding, content, hreflang tags pointing to www.dafabet.com, and presents itself as the official Dafabet betting platform. The canonical URL is set to www.sportdafa.net/en, not dafabet.com, confirming this is a separate domain masquerading as the real brand. (location: page.html:<title>, <link rel='canonical'>, logo img alt, entire page content)

credential harvesting

A functional login form (LoginForm) collects username and password credentials on a domain (sportdafa.net) that is not the legitimate Dafabet domain (dafabet.com). Form POSTs to /en/login on the impersonating domain. Credentials entered here would be captured by the site operator, not the real Dafabet. (location: page.html:line 29, <form name='LoginForm' method='post' action='/en/login'>)

phishing

The domain sportdafa.net mimics Dafabet's official site to deceive users into believing they are on the real Dafabet platform. It uses the real brand name, branding assets, hreflang alternate links referencing dafabet.com, and a 'JOIN NOW' registration flow — all characteristics of a phishing site designed to steal credentials and/or acquire fraudulent registrations. (location: metadata.json: domain=sportdafa.net; page.html: full page content)

malicious redirect

JavaScript on page load registers 'login.wsocdd.com' into a self.$domainSync array, suggesting synchronization or redirect coordination to an external unknown domain (wsocdd.com) during login flows. This could silently redirect authentication traffic or session tokens to a third-party domain. (location: page.html:line 18, self.$domainSync.push('login.wsocdd.com'))

social engineering

The site uses legitimate sports sponsorship branding (Celtic FC, Cricket South Africa, Sussex CCC, Durham Cricket, etc.) to create false trust signals. Listing real sporting partnerships of the genuine Dafabet brand misleads users into believing the impersonating site is official and trustworthy. (location: page.html:lines 214-370, footer sponsors section)

malicious redirect

The Facebook social link does not go to a facebook.com URL but instead redirects through 'https://dfgameplay.com/gjdnjr', an unrelated third-party domain used as a redirect intermediary. This is suspicious and may be used for tracking, affiliate fraud, or further redirection to malicious content. (location: page.html:line 379, <a href='https://dfgameplay.com/gjdnjr' class='icon-facebook'>)

credential harvesting

Google Analytics scripts read the 'username' cookie and transmit it as userId and dimension3 to Google Analytics properties (UA-50208224-21, UA-89039619-1). This exfiltrates logged-in usernames to analytics endpoints, enabling harvesting of account identifiers tied to sessions. (location: page.html:lines 458-478, readCookie('username') passed to ga('set','userId',...))

hidden content

A hidden zero-size GTM noscript iframe is embedded: <iframe src='https://www.googletagmanager.com/ns.html?id=GTM-TQD7V7Q' height='0' width='0' style='display:none;visibility:hidden'>. While GTM itself is legitimate, on an impersonating domain this hidden iframe enables invisible data collection and potential injection of additional tracking or malicious scripts via the GTM container. (location: page.html:line 431, noscript GTM iframe)

hidden content

The cookie 'mhlanguage' is immediately expired and deleted on page load via JavaScript before any user interaction. This manipulation of cookies on load is atypical and may be used to clear prior session state or force re-authentication to capture credentials. (location: page.html:line 13, document.cookie = 'mhlanguage=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT')