Is vizortube.com safe?

encoded payload

suspicious base64-like blobs detected in page content

malicious redirect

script/meta redirect patterns detected in page source

cloaking

Page conditionally redirects based on referrer or user-agent

js obfuscation

JavaScript uses Function constructor for runtime code generation

brand impersonation

vizortube.com mimics YouTube's core design, layout, and UX patterns (video grid, channel avatars, view counts, upload timestamps, navigation bar) while serving YouTube thumbnail images directly from i.ytimg.com and channel avatars from yt3.ggpht.com — effectively impersonating YouTube to create a deceptive familiar interface on a 277-day-old unestablished domain. (location: page.html: entire page structure, video-grid, video-card components (lines 758–1380))

social engineering

The site promotes a 'watch videos and earn XP/virtual Coins' reward scheme designed to incentivize repeated engagement and account creation. The referral modal auto-displays on page load (500ms delay) pushing users to sign up via a referral link, a classic pyramid-style user acquisition manipulation tactic on a recently registered domain. (location: page.html lines 1854–1877 (openReferralModal auto-trigger); meta description and OG tags lines 6–14)

credential harvesting

The search form submits to https://vizortube.com/login and the onsubmit handler forces a redirect to /login regardless of search input — any search action funnels the user directly into a login/credential capture flow. The 'Sign In' button links to /code (an atypical path suggesting invite/referral code gating). Combined with 'Sign in with Google without entering password' messaging in the browser modal, the site is engineered to harvest Google OAuth credentials. (location: page.html lines 612–617 (search form action and onsubmit), line 620–624 (Sign In button href=/code), lines 1510–1511 (browserModal Google sign-in prompt))

phishing

The domain vizortube.com (277 days old) presents as a legitimate YouTube-like video platform using real YouTube content metadata and thumbnails to establish trust, then redirects all interaction vectors (search, sign-in, video clicks leading to /video/* pages requiring login) toward credential collection. The 'Open in Browser' modal explicitly instructs users on how to bypass in-app browser security protections to enable Google OAuth sign-in, a known phishing technique used to steal Google account tokens. (location: page.html lines 1501–1541 (browserModal), lines 1543–1568 (isInAppBrowser script), search form and sign-in button)

social engineering

The isInAppBrowser() function detects users arriving via Instagram, Facebook, Telegram, Twitter, TikTok, LinkedIn, and musical_ly in-app browsers, then displays a modal coaching them to open the page in a full browser. This targets social media referral traffic specifically to circumvent in-app browser security sandboxing — a technique used to enable full OAuth token interception that would otherwise be blocked. (location: page.html lines 1543–1568 (isInAppBrowser detection and browserModal trigger logic))

hidden content

The page-text.txt file contains raw CSS blocks rendered as visible text (lines 61–153, 544–624), indicating CSS is being injected into the DOM in a manner that causes text extraction tools to capture style rules as page content. This may indicate style blocks placed in unexpected locations to confuse automated scanners or content parsers. (location: page-text.txt lines 61–153 and 544–624 (CSS visible as text content))

social engineering

Two separate Facebook Pixel IDs (2515399955479616 and 1708910427155784) are initialized simultaneously on the landing page, enabling cross-account behavioral tracking and retargeting of visitors. Running dual pixels is unusual for a legitimate site and suggests coordinated ad-network-level user profiling across multiple Facebook Business accounts for subsequent targeted phishing or scam ad campaigns. (location: page.html lines 580–598 (Meta Pixel Code with dual fbq init calls))