firebasestorage.googleapis.com Open in urlscan Pro
2a00:1450:4001:825::200a Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8...
Effective URL:
https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8...
Submission: On March 27 via manual (March 27th 2020, 2:49:08 am UTC) from DO

Summary HTTP 7 Redirects Behaviour Indicators

Summary

This website contacted 4 IPs in 2 countries across 3 domains to perform 7 HTTP transactions. The main IP is 2a00:1450:4001:825::200a, located in Frankfurt am Main, Germany and belongs to GOOGLE, US. The main domain is firebasestorage.googleapis.com.
TLS certificate: Issued by GTS CA 1O1 on March 3rd 2020. Valid for: 3 months.

This is the only time firebasestorage.googleapis.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Facebook (Social Network)

Domain & IP information

	IP Address	AS Autonomous System
1	2a00:1450:400... 2a00:1450:4001:825::200a	15169 (GOOGLE) (GOOGLE)
1 5	199.188.201.223 199.188.201.223	22612 (NAMECHEAP...) (NAMECHEAP-NET)
2 2	67.202.94.94 67.202.94.94	32748 (STEADFAST) (STEADFAST)
2	185.225.208.133 185.225.208.133	13213 (UK2NET-AS) (UK2NET-AS)
7	4

1 2a00:1450:4001:825::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

firebasestorage.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

5 199.188.201.223 (Los Angeles, United States) 1 redirects

ASN22612 (NAMECHEAP-NET, US)
PTR: business58-4.web-hosting.com

one.appspackformoblies.website	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 67.202.94.94 (Chicago, United States) 2 redirects

ASN32748 (STEADFAST, US)
PTR: amung.us

whos.amung.us	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 185.225.208.133 (Germany)

ASN13213 (UK2NET-AS, GB)

widgets.amung.us	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	appspackformoblies.website 1 redirects one.appspackformoblies.website	496 KB
4	amung.us 2 redirects whos.amung.us widgets.amung.us	4 KB
1	googleapis.com firebasestorage.googleapis.com	876 B
7	3

	Domain	Requested by
5	one.appspackformoblies.website	1 redirects firebasestorage.googleapis.com one.appspackformoblies.website
2	widgets.amung.us
2	whos.amung.us	2 redirects
1	firebasestorage.googleapis.com
7	4

This site contains no links.

Subject Issuer	Validity	Valid
*.storage.googleapis.com GTS CA 1O1	`2020-03-03` - `2020-05-26`	3 months	crt.sh
one.appspackformoblies.website Sectigo RSA Domain Validation Secure Server CA	`2019-12-18` - `2020-12-17`	a year	crt.sh
whos.amung.us GeoTrust EV RSA CA 2018	`2018-03-09` - `2020-05-25`	2 years	crt.sh

This page contains 1 frames:

Primary Page: https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44
Frame ID: 1281607AD500046410FFBBF0955984E0
Requests: 9 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Statistics

7
Requests

100 %
HTTPS

25 %
IPv6

3
Domains

4
Subdomains

4
IPs

2
Countries

500 kB
Transfer

763 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 3

https://one.appspackformoblies.website/auto/api/location HTTP 301
https://one.appspackformoblies.website/auto/api/location/

Request Chain 5

https://whos.amung.us/widget/newabcdario HTTP 307
https://widgets.amung.us/classic/00/57.png

Request Chain 6

https://whos.amung.us/widget/abcdario2k20 HTTP 307
https://widgets.amung.us/classic/00/56.png

7 HTTP transactions
2 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request 2wTf3masosf%20fa%20df830r%20fad.html Show response firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/	158 B 876 B	566ms 547ms	Document text/html	2a00:1450:4001:825::200a GOOGLE
General Check archive.org Show headers Download Go to Full URL https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:825::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software UploadServer / Resource Hash `7341ec3217aa734fc16a82310a7c83ee693943e5380fa7289b967d7598f49dbc` Request headers :method GET :authority firebasestorage.googleapis.com :scheme https :path /v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 pragma no-cache cache-control no-cache upgrade-insecure-requests 1 user-agent Defecto sec-fetch-dest document accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site none sec-fetch-mode navigate sec-fetch-user ?1 accept-encoding gzip, deflate, br accept-language en-US Upgrade-Insecure-Requests 1 User-Agent Defecto Sec-Fetch-Dest document Response headers status 200 x-guploader-uploadid AEnB2Up_FWm082hItk7Ah0WTIEDgToFLZGzSuAoe3ij8BHQw4_4bUYyZiFrX5NxyP0tiH314mx8XdUli1GHXANcaC48set9GcQ expires Fri, 27 Mar 2020 02:48:50 GMT date Fri, 27 Mar 2020 02:48:50 GMT cache-control private, max-age=0 last-modified Thu, 19 Mar 2020 12:50:23 GMT etag "d3ab0de7cd992d6c59fcb28711b42412" x-goog-generation 1584622223931829 x-goog-metageneration 1 x-goog-stored-content-encoding identity x-goog-stored-content-length 158 x-goog-meta-firebasestoragedownloadtokens 0fb4d280-8f74-4683-88df-632eba8b2e44 content-type text/html content-disposition inline; filename=utf-8''2wTf3masosf%20fa%20df830r%20fad.html x-goog-hash* crc32c=pZ6+rA== md5=06sN582ZLWxZ/LKHEbQkEg== x-goog-storage-class STANDARD accept-ranges bytes content-length 158 server UploadServer alt-svc quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
GET H2	200	/ Show response one.appspackformoblies.website/auto/api/	13 KB 5 KB	610ms 172ms	Script application/javascript	199.188.201.223 NAMECHEAP-NET
General Check archive.org Show headers Download Go to Full URL https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario Requested by Host: firebasestorage.googleapis.com URL: https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 Protocol H2 Security TLS 1.3, , AES_256_GCM Server 199.188.201.223 Los Angeles, United States, ASN22612 (NAMECHEAP-NET, US), Reverse DNS business58-4.web-hosting.com Software Apache / PHP/7.2.28 Resource Hash `a7520098d4520f233fc1d1db93474cadb8204122baf1bef54598a43c7f59054c` Request headers Referer https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 User-Agent Defecto Sec-Fetch-Dest script Response headers pragma no-cache date Fri, 27 Mar 2020 02:48:51 GMT content-encoding gzip server Apache x-powered-by PHP/7.2.28 vary Accept-Encoding content-type application/javascript status 200 cache-control no-store, no-cache, must-revalidate content-length 4998 expires Thu, 19 Nov 1981 08:52:00 GMT
GET H2	200	0PQ839vO2XQ.css one.appspackformoblies.website/auto/api/landings/m.facebook/files/	682 KB 487 KB	176ms 175ms	Stylesheet text/css	199.188.201.223 NAMECHEAP-NET
General Check archive.org Show headers Download Go to Full URL https://one.appspackformoblies.website/auto/api/landings/m.facebook/files/0PQ839vO2XQ.css Requested by Host: one.appspackformoblies.website URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario Protocol H2 Security TLS 1.3, , AES_256_GCM Server 199.188.201.223 Los Angeles, United States, ASN22612 (NAMECHEAP-NET, US), Reverse DNS business58-4.web-hosting.com Software Apache / Resource Hash `9e96483075e80b1da11bb3fcc7a2252be73bbe575474b6db0b7d04edd6a338a5` Request headers Referer https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 User-Agent Defecto Sec-Fetch-Dest style Response headers date Fri, 27 Mar 2020 02:48:51 GMT content-encoding gzip last-modified Thu, 19 Mar 2020 01:25:03 GMT server Apache vary Accept-Encoding content-type text/css status 200 accept-ranges bytes
GET H2	200	5-cAgKNU9ON.css one.appspackformoblies.website/auto/api/landings/m.facebook/files/	12 KB 3 KB	169ms 168ms	Stylesheet text/css	199.188.201.223 NAMECHEAP-NET
General Check archive.org Show headers Download Go to Full URL https://one.appspackformoblies.website/auto/api/landings/m.facebook/files/5-cAgKNU9ON.css Requested by Host: one.appspackformoblies.website URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario Protocol H2 Security TLS 1.3, , AES_256_GCM Server 199.188.201.223 Los Angeles, United States, ASN22612 (NAMECHEAP-NET, US), Reverse DNS business58-4.web-hosting.com Software Apache / Resource Hash `1d674229b69d2f90ea2530f29f9d49d6ca50d39aa50c2b2275f94f6df40f3cc2` Request headers Referer https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 User-Agent Defecto Sec-Fetch-Dest style Response headers date Fri, 27 Mar 2020 02:48:51 GMT content-encoding gzip last-modified Thu, 19 Mar 2020 01:25:03 GMT server Apache vary Accept-Encoding content-type text/css status 200 accept-ranges bytes content-length 2797
GET H2	200	/ Show response one.appspackformoblies.website/auto/api/location/ Redirect Chain https://one.appspackformoblies.website/auto/api/location https://one.appspackformoblies.website/auto/api/location/	1 KB 620 B	1188ms 1188ms	Script application/javascript	199.188.201.223 NAMECHEAP-NET
General Check archive.org Show headers Download Go to Full URL https://one.appspackformoblies.website/auto/api/location/ Protocol H2 Security TLS 1.3, , AES_256_GCM Server 199.188.201.223 Los Angeles, United States, ASN22612 (NAMECHEAP-NET, US), Reverse DNS business58-4.web-hosting.com Software Apache / PHP/7.2.28 Resource Hash `28b7b590c7acf1089c3f7b4ddf67302f938ef3fccf36ff72af44c778a7601a6c` Request headers Referer https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 User-Agent Defecto Response headers date Fri, 27 Mar 2020 02:48:51 GMT content-encoding gzip server Apache x-powered-by PHP/7.2.28 vary Accept-Encoding content-type application/javascript status 200 content-length 463 Redirect headers status 301 date Fri, 27 Mar 2020 02:48:51 GMT server Apache content-length 265 location https://one.appspackformoblies.website/auto/api/location/ content-type text/html; charset=iso-8859-1
GET DATA	200 OK	truncated /	1 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `1230532f79456753fb73f559ece9b95c17cfb36325dc313a3eda5ac22dfd9a2b` Request headers User-Agent Defecto Response headers Content-Type image/png
GET H2	200	57.png widgets.amung.us/classic/00/ Redirect Chain https://whos.amung.us/widget/newabcdario https://widgets.amung.us/classic/00/57.png	1 KB 2 KB	99ms 32ms	Image image/png	185.225.208.133 UK2NET-AS
General Check archive.org Show headers Download Go to Show image Full URL https://widgets.amung.us/classic/00/57.png Protocol H2 Security TLS 1.3, , AES_256_GCM Server 185.225.208.133 , Germany, ASN13213 (UK2NET-AS, GB), Reverse DNS Software / Resource Hash `543bc3e40c4bacb439a883a01f124339341cf8f1ef0be84e06745bd28a798b5f` Request headers Referer https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 User-Agent Defecto Response headers date Fri, 27 Mar 2020 02:48:51 GMT last-modified Sun, 13 Jun 2010 09:03:09 GMT access-control-allow-origin * etag "4c149ecd-5d5" content-type image/png status 200 cache-control max-age=86400, private accept-ranges bytes content-length 1493 expires Sat, 28 Mar 2020 02:48:51 GMT Redirect headers status 307 date Fri, 27 Mar 2020 02:48:51 GMT cache-control no-cache, no-store, must-revalidate location https://widgets.amung.us/classic/00/57.png content-type text/html; charset=UTF-8
GET H2	200	56.png widgets.amung.us/classic/00/ Redirect Chain https://whos.amung.us/widget/abcdario2k20 https://widgets.amung.us/classic/00/56.png	1 KB 2 KB	99ms 33ms	Image image/png	185.225.208.133 UK2NET-AS
General Check archive.org Show headers Download Go to Show image Full URL https://widgets.amung.us/classic/00/56.png Protocol H2 Security TLS 1.3, , AES_256_GCM Server 185.225.208.133 , Germany, ASN13213 (UK2NET-AS, GB), Reverse DNS Software / Resource Hash `c0124680377030216680cbbfa9d94c935426e26d4e4e78dbb43d900742f51272` Request headers Referer https://firebasestorage.googleapis.com/v0/b/spotify-3f00f.appspot.com/o/2wTf3masosf%20fa%20df830r%20fad.html?alt=media&token=0fb4d280-8f74-4683-88df-632eba8b2e44 User-Agent Defecto Response headers date Fri, 27 Mar 2020 02:48:51 GMT last-modified Sun, 13 Jun 2010 09:03:09 GMT access-control-allow-origin * etag "4c149ecd-5f2" content-type image/png status 200 cache-control max-age=86400, private accept-ranges bytes content-length 1522 expires Sat, 28 Mar 2020 02:48:51 GMT Redirect headers status 307 date Fri, 27 Mar 2020 02:48:51 GMT cache-control no-cache, no-store, must-revalidate location https://widgets.amung.us/classic/00/56.png content-type text/html; charset=UTF-8
GET DATA	200 OK	truncated /	51 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `7281941fed81ed9caf5728727e05da4a94b442c36796e1a5b1d6106f242ed11f` Request headers User-Agent Defecto Response headers Content-Type image/png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Facebook (Social Network)

15 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

6 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
console-api	log	URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario(Line 71) Message: [object HTMLScriptElement]
console-api	log	URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario(Line 71) Message: [object HTMLScriptElement]
console-api	log	URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario(Line 71) Message: [object HTMLScriptElement]
console-api	log	URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario(Line 71) Message: [object HTMLScriptElement]
console-api	log	URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario(Line 71) Message: [object HTMLScriptElement]
console-api	log	URL: https://one.appspackformoblies.website/auto/api/?api=1&lan=facebookapphk&ht=2&counter0=newabcdario(Line 71) Message: [object HTMLScriptElement]

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

firebasestorage.googleapis.com
one.appspackformoblies.website
whos.amung.us
widgets.amung.us
185.225.208.133
199.188.201.223
2a00:1450:4001:825::200a
67.202.94.94
1230532f79456753fb73f559ece9b95c17cfb36325dc313a3eda5ac22dfd9a2b
1d674229b69d2f90ea2530f29f9d49d6ca50d39aa50c2b2275f94f6df40f3cc2
28b7b590c7acf1089c3f7b4ddf67302f938ef3fccf36ff72af44c778a7601a6c
543bc3e40c4bacb439a883a01f124339341cf8f1ef0be84e06745bd28a798b5f
7281941fed81ed9caf5728727e05da4a94b442c36796e1a5b1d6106f242ed11f
7341ec3217aa734fc16a82310a7c83ee693943e5380fa7289b967d7598f49dbc
9e96483075e80b1da11bb3fcc7a2252be73bbe575474b6db0b7d04edd6a338a5
a7520098d4520f233fc1d1db93474cadb8204122baf1bef54598a43c7f59054c
c0124680377030216680cbbfa9d94c935426e26d4e4e78dbb43d900742f51272

firebasestorage.googleapis.com Open in urlscan Pro 2a00:1450:4001:825::200a Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Statistics

7 Requests

100 %HTTPS

25 %IPv6

3 Domains

4 Subdomains

4 IPs

2 Countries

500 kBTransfer

763 kBSize

0 Cookies

0 Outgoing links

Redirected requests

7 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 2 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

15 JavaScript Global Variables

0 Cookies

6 Console Messages

Indicators

firebasestorage.googleapis.com Open in urlscan Pro
2a00:1450:4001:825::200a Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

7
Requests

100 %
HTTPS

25 %
IPv6

3
Domains

4
Subdomains

4
IPs

2
Countries

500 kB
Transfer

763 kB
Size

0
Cookies

7 HTTP transactions
2 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!