activties-mgr.hl209332952.workers.dev Open in urlscan Pro
172.67.175.21 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

URL:
https://activties-mgr.hl209332952.workers.dev/
Submission: On March 27 via manual (March 27th 2024, 11:14:36 am UTC) from US — Scanned from DE

Summary HTTP 14 Redirects Links 8 Behaviour Indicators

Summary

This website contacted 5 IPs in 2 countries across 5 domains to perform 14 HTTP transactions. The main IP is 172.67.175.21, located in United States and belongs to CLOUDFLARENET, US. The main domain is activties-mgr.hl209332952.workers.dev.
TLS certificate: Issued by GTS CA 1P5 on March 19th 2024. Valid for: 3 months.

This is the only time activties-mgr.hl209332952.workers.dev was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: First Horizon Bank (Banking)

Domain & IP information

	IP Address	AS Autonomous System
3	172.67.175.21 172.67.175.21	13335 (CLOUDFLAR...) (CLOUDFLARENET)
4	2620:100:6022... 2620:100:6022:15::a27d:420f	19679 (DROPBOX) (DROPBOX)
5	104.16.88.20 104.16.88.20	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2a04:4e42:200... 2a04:4e42:200::649	54113 (FASTLY) (FASTLY)
14	5

3 172.67.175.21 (United States)

ASN13335 (CLOUDFLARENET, US)

activties-mgr.hl209332952.workers.dev	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 2620:100:6022:15::a27d:420f (United States)

ASN19679 (DROPBOX, US)

dl.dropboxusercontent.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

5 104.16.88.20 (None, )

ASN13335 (CLOUDFLARENET, US)

cdn.jsdelivr.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a04:4e42:200::649 (United States)

ASN54113 (FASTLY, US)

code.jquery.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	jsdelivr.net cdn.jsdelivr.net — Cisco Umbrella Rank: 449	84 KB
4	dropboxusercontent.com dl.dropboxusercontent.com — Cisco Umbrella Rank: 24799	34 KB
3	workers.dev activties-mgr.hl209332952.workers.dev	84 KB
1	jquery.com code.jquery.com — Cisco Umbrella Rank: 1216	33 KB
0	firsthorizon.com Failed security.firsthorizon.com Failed
14	5

	Domain	Requested by
5	cdn.jsdelivr.net	activties-mgr.hl209332952.workers.dev
4	dl.dropboxusercontent.com	activties-mgr.hl209332952.workers.dev dl.dropboxusercontent.com
3	activties-mgr.hl209332952.workers.dev	activties-mgr.hl209332952.workers.dev
1	code.jquery.com	activties-mgr.hl209332952.workers.dev
0	security.firsthorizon.com Failed
14	5

This site contains links to these domains. Also see Links.

Domain
www.firsthorizon.com
ir.fhnc.com

Subject Issuer	Validity	Valid
hl209332952.workers.dev GTS CA 1P5	`2024-03-19` - `2024-06-17`	3 months	crt.sh
*.dl.dropboxusercontent.com DigiCert TLS RSA SHA256 2020 CA1	`2024-03-25` - `2025-03-11`	a year	crt.sh
sni.cloudflaressl.com Cloudflare Inc ECC CA-3	`2023-05-02` - `2024-05-01`	a year	crt.sh
*.jquery.com Sectigo RSA Domain Validation Secure Server CA	`2023-07-11` - `2024-07-14`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://activties-mgr.hl209332952.workers.dev/
Frame ID: 5120F989EE3A32DE13E2B01FD93ACEA9
Requests: 14 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

First Horizon - Log In

Detected technologies

Bootstrap (Web Frameworks) Expand

Overall confidence: 100%
Detected patterns

bootstrap(?:[^>]*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)[^>]*?(?:\.min)?\.js

jQuery (JavaScript Libraries) Expand

Overall confidence: 100%
Detected patterns

jquery[.-]([\d.]*\d)[^/]*\.js
jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?

jsDelivr (CDN) Expand

Overall confidence: 100%
Detected patterns

//cdn\.jsdelivr\.net/

Page Statistics

14
Requests

93 %
HTTPS

50 %
IPv6

5
Domains

5
Subdomains

5
IPs

2
Countries

235 kB
Transfer

613 kB
Size

1
Cookies

8 Outgoing links

These are links going to different origins than the main page.

URL: https://www.firsthorizon.com/About
Title: ABOUT US

Search URL Search Domain Scan URL

URL: https://www.firsthorizon.com/Careers
Title: CAREERS

Search URL Search Domain Scan URL

URL: https://www.firsthorizon.com/Corporate
Title: CORPORATE

Search URL Search Domain Scan URL

URL: http://ir.fhnc.com/CorporateProfile
Title: INVESTOR RELATIONS

Search URL Search Domain Scan URL

URL: https://www.firsthorizon.com/Support/Security-and-Fraud-Protection
Title: FRAUD & SECURITY

Search URL Search Domain Scan URL

URL: https://www.firsthorizon.com/First-Horizon-National-Corporation/Copyright-Claims
Title: COPYRIGHT CLAIMS

Search URL Search Domain Scan URL

URL: https://www.firsthorizon.com/About/Privacy-Policy
Title: PRIVACY POLICY

Search URL Search Domain Scan URL

URL: https://www.firsthorizon.com/First-Horizon-National-Corporation/Online-Privacy-Policy
Title: ONLINE PRIVACY POLICY

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

14 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H3 200 Primary Request / Show response
activties-mgr.hl209332952.workers.dev/ 46 KB
6 KB 187ms
29ms Document
text/html 172.67.175.21
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://activties-mgr.hl209332952.workers.dev/
Protocol: H3
Security: QUIC, , AES_128_GCM
Server: 172.67.175.21 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 8fa1bfed87758d4be729b3b2224185ffba64b0192b5a72bb7cd7d1ddfcaf7d9e

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-language: de-DE,de;q=0.9
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Win32"

Response headers

alt-svc: h3=":443"; ma=86400
cf-ray: 86aef5111d3418dc-FRA
content-encoding: br
content-type: text/html;charset=UTF-8
date: Wed, 27 Mar 2024 11:14:31 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DmFBvkz%2BUbZoDh8W7yfCn2qvUuWh58Juma5c%2FgMt5djNxozmlb610C3dDjEe9kUYfMqaNoJ9V1WkrW9MHrVJ3vfZ8BEfkXQED26P41FZuXsJ4QOJEBN%2BYIiUwZog9iZ6n%2F2nbHC%2Fo6VZeZ1xluhM70vWQtSFOCNf"}],"group":"cf-nel","max_age":604800}
server: cloudflare
vary: Accept-Encoding

GET
H2 200 bootstrapSsostyles.css
dl.dropboxusercontent.com/s/6tg4sbtlj70w8ht/ 21 KB
5 KB 735ms
644ms Stylesheet
text/css 2620:100:6022:15::a27d:420f
DROPBOX

General

Check archive.org

Show headers Download Go to

Full URL

https://dl.dropboxusercontent.com/s/6tg4sbtlj70w8ht/bootstrapSsostyles.css?dl=0

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

2620:100:6022:15::a27d:420f , United States, ASN19679 (DROPBOX, US),

Reverse DNS

Software

envoy /

Resource Hash

22bc90bb7e3234c5f832154d60cf64c31c56a01c54f77146e35c89252c478c4a

Security Headers

Name	Value
Content-Security-Policy	report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Referer: https://activties-mgr.hl209332952.workers.dev/
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Win32"

Response headers

content-security-policy: report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
date: Wed, 27 Mar 2024 11:14:31 GMT
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-encoding: gzip
x-dropbox-request-id: 4f18b711615a47399b73931d4119e17d
x-dropbox-response-origin: far_remote
content-disposition: inline; filename="bootstrapSsostyles.css"; filename*=UTF-8''bootstrapSsostyles.css
pragma: public
server: envoy
x-server-response-time: 463
vary: Accept-Encoding
content-type: text/css; charset=utf-8
cache-control: max-age=60
accept-ranges: bytes
x-robots-tag: noindex, nofollow, noimageindex

GET
H3 200 bootstrap.min.css
cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/ 152 KB
24 KB 122ms
97ms Stylesheet
text/css 104.16.88.20
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

QUIC, , AES_128_GCM

Server

104.16.88.20 -, , ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

7633b7c0c97d19e682feee8afa2738523fcb2a14544a550572caeecd2eefe66b

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Referer: https://activties-mgr.hl209332952.workers.dev/
Origin: https://activties-mgr.hl209332952.workers.dev
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
cf-cache-status: HIT
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
age: 1189911
x-jsd-version: 5.0.2
content-encoding: br
x-cache: HIT, HIT
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=86400
x-served-by: cache-fra-eddf8230097-FRA, cache-lga21934-LGA
x-jsd-version-type: version
server: cloudflare
etag: W/"260c5-fByeBXPlzqi603M74vxjqoxo6o0"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gy4Z04rt5HvQyaLBVfhlbbq3r63edArbVmAOcoeNhcUubaZqSwd1%2Fu9Z7rhowAnOFhA1WvdKu9GWouOfXJhTGKJEKt6l05V4Ie6nkmCP%2B1HzmLb%2Bile7T9nBCNs9omuLvSI%3D"}],"group":"cf-nel","max_age":604800}
content-type: text/css; charset=utf-8
access-control-allow-origin: *
access-control-expose-headers: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
timing-allow-origin: *
cf-ray: 86aef5118eacbbf7-FRA

GET
H3 200 bootstrap.bundle.min.js Show response
cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/ 77 KB
23 KB 83ms
58ms Script
application/javascript 104.16.88.20
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

QUIC, , AES_128_GCM

Server

104.16.88.20 -, , ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

7e1f1503df765cca5e099891b94e318a2ef95081ba2af1eb6d417cc884bfdbfe

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Origin: https://activties-mgr.hl209332952.workers.dev
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"
Referer: https://activties-mgr.hl209332952.workers.dev/
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
cf-cache-status: HIT
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
age: 1194092
x-jsd-version: 5.0.2
content-encoding: br
x-cache: HIT, HIT
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=86400
x-served-by: cache-fra-eddf8230080-FRA, cache-lga21928-LGA
x-jsd-version-type: version
server: cloudflare
etag: W/"13397-kBFpUnUH/55mLPZNjjYfNZMIlw0"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D%2BYZh5wu8jl3W1v6OAGw6wqP4FbNbyNewUNVcqMLruJprkiYXoZZOk8Qup97Rq1%2FzY3CMjAY2Kcw%2F95T44eB3qMt4iYTPI03h3X%2FqYWzxVeFSq4KMXe0sSLa3GU7a6dLM2Q%3D"}],"group":"cf-nel","max_age":604800}
content-type: application/javascript; charset=utf-8
access-control-allow-origin: *
access-control-expose-headers: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
timing-allow-origin: *
cf-ray: 86aef5118ea5bbf7-FRA

GET
H3 200 popper.min.js Show response
cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/ 18 KB
7 KB 105ms
81ms Script
application/javascript 104.16.88.20
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/popper.min.js

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

QUIC, , AES_128_GCM

Server

104.16.88.20 -, , ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

5a07c69f9061eb12e39a031358a4f567f30a002ad6182639ac84fd1bda2f6e65

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Origin: https://activties-mgr.hl209332952.workers.dev
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"
Referer: https://activties-mgr.hl209332952.workers.dev/
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
cf-cache-status: HIT
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
age: 1180396
x-jsd-version: 2.9.2
content-encoding: br
x-cache: HIT, HIT
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=86400
x-served-by: cache-fra-eddf8230074-FRA, cache-lga21952-LGA
x-jsd-version-type: version
server: cloudflare
etag: W/"48a2-jut79x6Kl4uCoaGYAV8U1z0upZI"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJxngCTaP9VvhZgzqYeyZ32fnYy%2BoL%2BU5AmYyPU%2BmX%2F%2FTU3mkXgtbrocF31%2FZ9kTklR6mYZA6z3M6eCge8Zikc5Qga%2F6fwkrJk%2BV9EF5TjWxeaQCPYXI7ReXXMlk6hV4TG4%3D"}],"group":"cf-nel","max_age":604800}
content-type: application/javascript; charset=utf-8
access-control-allow-origin: *
access-control-expose-headers: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
timing-allow-origin: *
cf-ray: 86aef5118eabbbf7-FRA

GET
H3 200 bootstrap.min.js Show response
cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/ 59 KB
17 KB 103ms
79ms Script
application/javascript 104.16.88.20
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.min.js

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

QUIC, , AES_128_GCM

Server

104.16.88.20 -, , ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

5c36e28c9a7bd864b673e223db7e1934923227536ffbdf871f58b6f09b9ac8c9

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Origin: https://activties-mgr.hl209332952.workers.dev
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"
Referer: https://activties-mgr.hl209332952.workers.dev/
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
cf-cache-status: HIT
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
age: 1185267
x-jsd-version: 5.0.2
content-encoding: br
x-cache: HIT, HIT
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=86400
x-served-by: cache-fra-eddf8230043-FRA, cache-lga21927-LGA
x-jsd-version-type: version
server: cloudflare
etag: W/"eab9-PwlPAQv7DAIqUbYneNQ2HRytP9Y"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BLMrBws13zi61P8atuGFNrUdGYyMBUQ02P8PRXrtX2XjmFYq1jX4cAc2wQAQ%2BZsyhOV4ccDn3VInWHUZZ9BSEyH%2B3bOIbkeyopKqCf2SlZvw5BQHC%2BB4lRooRh%2F7jpQv%2BJA%3D"}],"group":"cf-nel","max_age":604800}
content-type: application/javascript; charset=utf-8
access-control-allow-origin: *
access-control-expose-headers: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
timing-allow-origin: *
cf-ray: 86aef5118ea8bbf7-FRA

GET
H2 200 jquery-1.12.4.min.js Show response
code.jquery.com/ 95 KB
33 KB 64ms
18ms Script
application/javascript 2a04:4e42:200::649
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL: https://code.jquery.com/jquery-1.12.4.min.js
Requested by: Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2a04:4e42:200::649 , United States, ASN54113 (FASTLY, US),
Reverse DNS
Software: nginx /
Resource Hash: 668b046d12db350ccba6728890476b3efee53b2f42dbb84743e5e9f1ae0cc404

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Origin: https://activties-mgr.hl209332952.workers.dev
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"
Referer: https://activties-mgr.hl209332952.workers.dev/
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
content-encoding: gzip
via: 1.1 varnish, 1.1 varnish
age: 16735872
x-cache: HIT, HIT
content-length: 33738
x-served-by: cache-lga21956-LGA, cache-fra-etou8220103-FRA
last-modified: Fri, 18 Oct 1991 12:00:00 GMT
server: nginx
x-timer: S1711538071.310903,VS0,VE0
etag: W/"28feccc0-17b8b"
vary: Accept-Encoding
content-type: application/javascript; charset=utf-8
access-control-allow-origin: *
cache-control: public, max-age=31536000, stale-while-revalidate=604800
accept-ranges: bytes
x-cache-hits: 210, 152830

GET
H3 200 bootstrap.min.js Show response
cdn.jsdelivr.net/npm/bootstrap@3.4.1/dist/js/ 39 KB
12 KB 62ms
39ms Script
application/javascript 104.16.88.20
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://cdn.jsdelivr.net/npm/bootstrap@3.4.1/dist/js/bootstrap.min.js

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

QUIC, , AES_128_GCM

Server

104.16.88.20 -, , ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

9ee2fcff6709e4d0d24b09ca0fc56aade12b4961ed9c43fd13b03248bfb57afe

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Origin: https://activties-mgr.hl209332952.workers.dev
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"
Referer: https://activties-mgr.hl209332952.workers.dev/
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
cf-cache-status: HIT
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
age: 1180406
x-jsd-version: 3.4.1
content-encoding: br
x-cache: HIT, HIT
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=86400
x-served-by: cache-fra-etou8220106-FRA, cache-lga21950-LGA
x-jsd-version-type: version
server: cloudflare
etag: W/"9b00-sW/YImvWv7COVo8bHQoh1gJHzvs"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0wjIpHWl1bEFbrtMFAWbUfJhat%2BELpkK6dr0mKgSmaaj9LuLClCDA0ZPBQ%2FSf1lSwHyyUTrorNXtAWF6kqw434%2FAryeLs2Lziq62sHdoDzlfHCPXkbwyJ5x3v8%2FJxpKopwE%3D"}],"group":"cf-nel","max_age":604800}
content-type: application/javascript; charset=utf-8
access-control-allow-origin: *
access-control-expose-headers: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
timing-allow-origin: *
cf-ray: 86aef5118ea4bbf7-FRA

GET
H2 200 firstHorizon.png
dl.dropboxusercontent.com/s/xi0yyxyids4hatd/ 6 KB
7 KB 550ms
461ms Image
image/png 2620:100:6022:15::a27d:420f
DROPBOX

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://dl.dropboxusercontent.com/s/xi0yyxyids4hatd/firstHorizon.png?dl=0

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

2620:100:6022:15::a27d:420f , United States, ASN19679 (DROPBOX, US),

Reverse DNS

Software

envoy /

Resource Hash

b09ad9c8aca2805b1b5188a82531f8b7b78aa11978d4a51e4328ea0031f6c159

Security Headers

Name	Value
Content-Security-Policy	report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Referer: https://activties-mgr.hl209332952.workers.dev/
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Win32"

Response headers

content-security-policy: report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
date: Wed, 27 Mar 2024 11:14:31 GMT
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-dropbox-request-id: 393029ad625a4edb8e90af4a05722c74
x-dropbox-response-origin: far_remote
content-disposition: inline; filename="firstHorizon.png"; filename*=UTF-8''firstHorizon.png
content-length: 6201
pragma: public
server: envoy
etag: 1647958367327406n
x-server-response-time: 319
content-type: image/png
cache-control: max-age=60
accept-ranges: bytes
x-robots-tag: noindex, nofollow, noimageindex

GET
H2 200 customer_care.png
dl.dropboxusercontent.com/s/jr7mx9ccr2zrnd2/ 628 B
893 B 615ms
526ms Image
image/png 2620:100:6022:15::a27d:420f
DROPBOX

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://dl.dropboxusercontent.com/s/jr7mx9ccr2zrnd2/customer_care.png?dl=0

Requested by

Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

2620:100:6022:15::a27d:420f , United States, ASN19679 (DROPBOX, US),

Reverse DNS

Software

envoy /

Resource Hash

3a450d0385763cdcb2a2b659cd2b797b75f28ae6dc8511a53aa06ade705d8460

Security Headers

Name	Value
Content-Security-Policy	report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Referer: https://activties-mgr.hl209332952.workers.dev/
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Win32"

Response headers

content-security-policy: report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
date: Wed, 27 Mar 2024 11:14:31 GMT
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-dropbox-request-id: 7e41a889032e4b61bfc81157f18192bd
x-dropbox-response-origin: far_remote
content-disposition: inline; filename="customer_care.png"; filename*=UTF-8''customer_care.png
content-length: 628
pragma: public
server: envoy
etag: 1647958369921657n
x-server-response-time: 387
content-type: image/png
cache-control: max-age=60
accept-ranges: bytes
x-robots-tag: noindex, nofollow, noimageindex

GET
H3 200 equalhousinglender.png
activties-mgr.hl209332952.workers.dev/index_files/ 32 KB
32 KB 37ms
37ms Image
text/html 172.67.175.21
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://activties-mgr.hl209332952.workers.dev/index_files/equalhousinglender.png
Requested by: Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/
Protocol: H3
Security: QUIC, , AES_128_GCM
Server: 172.67.175.21 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Referer: https://activties-mgr.hl209332952.workers.dev/
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
content-encoding: br
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IkApjWxKV9JI2S3aJwMb6gbcQj5pU%2F7rTBvXl854CPSp568jUgQVG0LgelUAhyR3BMIfYzxBVXmS6kH8GBdTeUAhHb7hZZAeRHl8HdXXQ0hldIG36ePyZPC6shPXdNWMX5UCofBboUwtpVGgGm7h6hGD%2BcD3Tl7o"}],"group":"cf-nel","max_age":604800}
content-type: text/html;charset=UTF-8
cf-ray: 86aef5116d9318dc-FRA
alt-svc: h3=":443"; ma=86400

GET
H3 200 memberfdic.png
activties-mgr.hl209332952.workers.dev/index_files/ 46 KB
46 KB 34ms
34ms Image
text/html 172.67.175.21
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://activties-mgr.hl209332952.workers.dev/index_files/memberfdic.png
Requested by: Host: activties-mgr.hl209332952.workers.dev
URL: https://activties-mgr.hl209332952.workers.dev/
Protocol: H3
Security: QUIC, , AES_128_GCM
Server: 172.67.175.21 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Referer: https://activties-mgr.hl209332952.workers.dev/
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Win32"

Response headers

date: Wed, 27 Mar 2024 11:14:31 GMT
content-encoding: br
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3mTiqQzEyJKrMRt0zQZm6Vc%2B7HGfHI45QBG8SkrRL1pjhev4Mh%2F0Z2rQTzKbF1PvfS37bTomfLNVVNy1%2BzPW4nPj38QMLtigsiGEQd0ITT2VlsGVQMw%2FqPFonAWkMB9uPU63wF7iWrtVqM4GTyxIyHQWboeLXeOB"}],"group":"cf-nel","max_age":604800}
content-type: text/html;charset=UTF-8
cf-ray: 86aef5116d9818dc-FRA
alt-svc: h3=":443"; ma=86400

GET
H2 200 warning.png
dl.dropboxusercontent.com/s/6tg4sbtlj70w8ht/ 21 KB
21 KB 467ms
467ms Image
text/css 2620:100:6022:15::a27d:420f
DROPBOX

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://dl.dropboxusercontent.com/s/6tg4sbtlj70w8ht/warning.png

Requested by

Host: dl.dropboxusercontent.com
URL: https://dl.dropboxusercontent.com/s/6tg4sbtlj70w8ht/bootstrapSsostyles.css?dl=0

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

2620:100:6022:15::a27d:420f , United States, ASN19679 (DROPBOX, US),

Reverse DNS

Software

envoy /

Resource Hash

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Security Headers

Name	Value
Content-Security-Policy	report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Referer: https://dl.dropboxusercontent.com/s/6tg4sbtlj70w8ht/bootstrapSsostyles.css?dl=0
accept-language: de-DE,de;q=0.9
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Win32"

Response headers

content-security-policy: report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-usercontent ; sandbox allow-forms allow-scripts allow-top-navigation allow-popups, form-action 'none' ; report-uri https://www.dropbox.com/csp_log?policy_name=blockserver-noscript ; script-src 'none'
date: Wed, 27 Mar 2024 11:14:32 GMT
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-encoding: gzip
x-dropbox-request-id: 4e96cb0f3d8e41adab65d9fcf9831534
x-dropbox-response-origin: far_remote
content-disposition: inline; filename="bootstrapSsostyles.css"; filename*=UTF-8''bootstrapSsostyles.css
pragma: public
server: envoy
x-server-response-time: 328
vary: Accept-Encoding
content-type: text/css; charset=utf-8
cache-control: max-age=60
accept-ranges: bytes
x-robots-tag: noindex, nofollow, noimageindex

GET FHfavicon.ico
security.firsthorizon.com/fhnsso/ 0
0

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain: security.firsthorizon.com
URL: https://security.firsthorizon.com/fhnsso/FHfavicon.ico

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: First Horizon Bank (Banking)

7 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			.dropboxusercontent.com/	1969-12-31 23:59:59	Name: uc_session Value: iFnAHuc9xB4MpQL4nBBPH1RCT25bKTLcmhabNScolENiN9GCl3eM48upcCh04rNg

10 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
javascript	warning	(Line 2) Message: A parser-blocking, cross site (i.e. different eTLD+1) script, https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
javascript	warning	(Line 2) Message: A parser-blocking, cross site (i.e. different eTLD+1) script, https://cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/popper.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
javascript	warning	(Line 2) Message: A parser-blocking, cross site (i.e. different eTLD+1) script, https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
javascript	warning	(Line 2) Message: A parser-blocking, cross site (i.e. different eTLD+1) script, https://code.jquery.com/jquery-1.12.4.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
javascript	warning	(Line 2) Message: A parser-blocking, cross site (i.e. different eTLD+1) script, https://cdn.jsdelivr.net/npm/bootstrap@3.4.1/dist/js/bootstrap.min.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
other	warning	URL: https://activties-mgr.hl209332952.workers.dev/(Line 8) Message: Third-party cookie will be blocked. Learn more in the Issues tab.
other	warning	URL: https://activties-mgr.hl209332952.workers.dev/(Line 8) Message: Third-party cookie will be blocked. Learn more in the Issues tab.
other	warning	URL: https://activties-mgr.hl209332952.workers.dev/(Line 8) Message: Third-party cookie will be blocked. Learn more in the Issues tab.
recommendation	verbose	URL: https://activties-mgr.hl209332952.workers.dev/ Message: [DOM] Input elements should have autocomplete attributes (suggested: "current-password"): (More info: https://goo.gl/9p2vKq) %o
other	warning	URL: https://activties-mgr.hl209332952.workers.dev/ Message: Third-party cookie will be blocked. Learn more in the Issues tab.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

activties-mgr.hl209332952.workers.dev
cdn.jsdelivr.net
code.jquery.com
dl.dropboxusercontent.com
security.firsthorizon.com
security.firsthorizon.com
104.16.88.20
172.67.175.21
2620:100:6022:15::a27d:420f
2a04:4e42:200::649
22bc90bb7e3234c5f832154d60cf64c31c56a01c54f77146e35c89252c478c4a
3a450d0385763cdcb2a2b659cd2b797b75f28ae6dc8511a53aa06ade705d8460
5a07c69f9061eb12e39a031358a4f567f30a002ad6182639ac84fd1bda2f6e65
5c36e28c9a7bd864b673e223db7e1934923227536ffbdf871f58b6f09b9ac8c9
668b046d12db350ccba6728890476b3efee53b2f42dbb84743e5e9f1ae0cc404
7633b7c0c97d19e682feee8afa2738523fcb2a14544a550572caeecd2eefe66b
7e1f1503df765cca5e099891b94e318a2ef95081ba2af1eb6d417cc884bfdbfe
8fa1bfed87758d4be729b3b2224185ffba64b0192b5a72bb7cd7d1ddfcaf7d9e
9ee2fcff6709e4d0d24b09ca0fc56aade12b4961ed9c43fd13b03248bfb57afe
b09ad9c8aca2805b1b5188a82531f8b7b78aa11978d4a51e4328ea0031f6c159
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

activties-mgr.hl209332952.workers.dev Open in urlscan Pro 172.67.175.21 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Detected technologies

Page Statistics

14 Requests

93 %HTTPS

50 %IPv6

5 Domains

5 Subdomains

5 IPs

2 Countries

235 kBTransfer

613 kBSize

1 Cookies

8 Outgoing links

Redirected requests

14 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Failed requests

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

7 JavaScript Global Variables

1 Cookies

10 Console Messages

Indicators

activties-mgr.hl209332952.workers.dev Open in urlscan Pro
172.67.175.21 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

14
Requests

93 %
HTTPS

50 %
IPv6

5
Domains

5
Subdomains

5
IPs

2
Countries

235 kB
Transfer

613 kB
Size

1
Cookies

14 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!