wmt.intasa.og.ao Open in urlscan Pro
209.59.134.58 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
http://bit.do/dSCJq
Effective URL:
http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3a87f6b7c2088874&burl...
Submission: On November 07 via api (November 7th 2017, 6:03:40 pm UTC) from CA

Summary HTTP 45 Redirects Links 24 Behaviour Indicators

Summary

This website contacted 13 IPs in 4 countries across 11 domains to perform 45 HTTP transactions. The main IP is 209.59.134.58, located in Lansing, United States and belongs to LIQUID-WEB-INC - Liquid Web, L.L.C, US. The main domain is wmt.intasa.og.ao.

This is the only time wmt.intasa.og.ao was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Western Union (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1 1	54.83.52.76 54.83.52.76	14618 (AMAZON-AES) (AMAZON-AES - Amazon.com)
1 25	209.59.134.58 209.59.134.58	32244 (LIQUID-WE...) (LIQUID-WEB-INC - Liquid Web)
1	2a00:1450:400... 2a00:1450:4001:81b::2008	15169 (GOOGLE) (GOOGLE - Google Inc.)
3	92.123.93.102 92.123.93.102	20940 (AKAMAI-ASN1) (AKAMAI-ASN1)
1	23.8.10.180 23.8.10.180	20940 (AKAMAI-ASN1) (AKAMAI-ASN1)
3	66.117.29.11 66.117.29.11	15224 (OMNITURE) (OMNITURE - Adobe Systems Inc.)
1 3	54.246.133.167 54.246.133.167	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2	52.85.183.55 52.85.183.55	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2	2a03:2880:f02... 2a03:2880:f02d:12:face:b00c:0:3	32934 (FACEBOOK) (FACEBOOK - Facebook)
3	2400:cb00:204... 2400:cb00:2048:1::6814:601a	13335 (CLOUDFLAR...) (CLOUDFLARENET - CloudFlare)
1	2a03:2880:f12... 2a03:2880:f12d:83:face:b00c:0:25de	32934 (FACEBOOK) (FACEBOOK - Facebook)
1	2600:1901:0:f... 2600:1901:0:ff7::	15169 (GOOGLE) (GOOGLE - Google Inc.)
1	34.195.120.39 34.195.120.39	14618 (AMAZON-AES) (AMAZON-AES - Amazon.com)
45	13

1 54.83.52.76 (Ashburn, United States) 1 redirects

ASN14618 (AMAZON-AES - Amazon.com, Inc., US)
PTR: ec2-54-83-52-76.compute-1.amazonaws.com

bit.do	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

25 209.59.134.58 (Lansing, United States) 1 redirects

ASN32244 (LIQUID-WEB-INC - Liquid Web, L.L.C, US)
PTR: luanda.angoweb.biz

wmt.intasa.og.ao	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:81b::2008 (Ireland)

ASN15169 (GOOGLE - Google Inc., US)

www.googletagmanager.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 92.123.93.102 (European Union)

ASN20940 (AKAMAI-ASN1, US)
PTR: a92-123-93-102.deploy.akamaitechnologies.com

assets.adobedtm.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 23.8.10.180 (Amsterdam, Netherlands)

ASN20940 (AKAMAI-ASN1, US)
PTR: a23-8-10-180.deploy.static.akamaitechnologies.com

cdn.tt.omtrdc.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 66.117.29.11 (Lehi, United States)

ASN15224 (OMNITURE - Adobe Systems Inc., US)

westernunion.tt.omtrdc.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 54.246.133.167 (Dublin, Ireland) 1 redirects

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: ec2-54-246-133-167.eu-west-1.compute.amazonaws.com

westernunion.demdex.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 52.85.183.55 (Seattle, United States)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-52-85-183-55.fra50.r.cloudfront.net

www.cdn-net.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a03:2880:f02d:12:face:b00c:0:3 (Ireland)

ASN32934 (FACEBOOK - Facebook, Inc., US)

connect.facebook.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 2400:cb00:2048:1::6814:601a (United States)

ASN13335 (CLOUDFLARENET - CloudFlare, Inc., US)

cdn.cformanalytics.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
apid.cformanalytics.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a03:2880:f12d:83:face:b00c:0:25de (Ireland)

ASN32934 (FACEBOOK - Facebook, Inc., US)

www.facebook.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2600:1901:0:ff7:: (United States)

ASN15169 (GOOGLE - Google Inc., US)

six.cdn-net.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 34.195.120.39 (Ashburn, United States)

ASN14618 (AMAZON-AES - Amazon.com, Inc., US)
PTR: ec2-34-195-120-39.compute-1.amazonaws.com

westernunion.evergage.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
25	intasa.og.ao 1 redirects wmt.intasa.og.ao	295 KB
4	omtrdc.net cdn.tt.omtrdc.net westernunion.tt.omtrdc.net	16 KB
3	cformanalytics.com cdn.cformanalytics.com apid.cformanalytics.com	15 KB
3	cdn-net.com www.cdn-net.com six.cdn-net.com	13 KB
3	demdex.net 1 redirects westernunion.demdex.net	945 B
3	adobedtm.com assets.adobedtm.com	23 KB
2	facebook.net connect.facebook.net	11 KB
1	evergage.com westernunion.evergage.com
1	facebook.com www.facebook.com	53 B
1	googletagmanager.com www.googletagmanager.com	28 KB
1	bit.do 1 redirects bit.do	263 B
45	11

	Domain	Requested by
25	wmt.intasa.og.ao	1 redirects wmt.intasa.og.ao
3	westernunion.demdex.net	1 redirects wmt.intasa.og.ao
3	westernunion.tt.omtrdc.net	assets.adobedtm.com wmt.intasa.og.ao
3	assets.adobedtm.com	wmt.intasa.og.ao
2	apid.cformanalytics.com	wmt.intasa.og.ao
2	connect.facebook.net	wmt.intasa.og.ao
2	www.cdn-net.com	wmt.intasa.og.ao www.cdn-net.com
1	westernunion.evergage.com	wmt.intasa.og.ao
1	six.cdn-net.com	www.cdn-net.com
1	www.facebook.com	wmt.intasa.og.ao
1	cdn.cformanalytics.com	wmt.intasa.og.ao
1	cdn.tt.omtrdc.net	assets.adobedtm.com
1	www.googletagmanager.com	wmt.intasa.og.ao
1	bit.do	1 redirects
45	14

This site contains links to these domains. Also see Links.

Domain
www.westernunion.com
corporate.westernunion.com
blog.westernunion.com
ir.westernunion.com
foundation.westernunion.com
agentportal.westernunion.com
payments.westernunion.com
sealserver.trustkeeper.net
www.trustlogo.com
www.bbb.org

Subject Issuer	Validity	Valid
*.facebook.com DigiCert SHA2 High Assurance Server CA	`2016-12-09` - `2018-01-25`	a year	crt.sh

This page contains 3 frames:

Primary Page: http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3a87f6b7c2088874&burlid=d001a6ea0b9cbe16
Frame ID: 6016.1
Requests: 43 HTTP requests in this frame

Frame: http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp_files/dest4.html
Frame ID: 6016.2
Requests: 1 HTTP requests in this frame

Frame: http://www.cdn-net.com/s2?t=AXe%2BNjZxJTcHupWp7bxEk5Ft&x=1&sid=024b508b-b9db-4bdf-b781-59267acf78f3&tid=
Frame ID: 6016.4
Requests: 1 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page URL History Show full URLs

http://bit.do/dSCJq HTTP 301
http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/ HTTP 302
http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3... Page URL

Detected technologies

LiteSpeed (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /^LiteSpeed$/i

Facebook (Widgets) Expand

Overall confidence: 100%
Detected patterns

script /\/\/connect\.facebook\.net\/[^\/]*\/[a-z]*\.js/i

SiteCatalyst (Analytics) Expand

Overall confidence: 100%
Detected patterns

script /\/s[_-]code.*\.js/i

Page Statistics

45
Requests

7 %
HTTPS

38 %
IPv6

11
Domains

14
Subdomains

13
IPs

4
Countries

401 kB
Transfer

1592 kB
Size

4
Cookies

24 Outgoing links

These are links going to different origins than the main page.

URL: https://www.westernunion.com/us/en/home.html

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/wu/login-rp.html
Title: Sign Up

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/wu/registration-login.html
Title: Sign Up

Search URL Search Domain Scan URL

URL: http://corporate.westernunion.com/index.html
Title: About us

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/customer-care.html
Title: Contact us

Search URL Search Domain Scan URL

URL: http://blog.westernunion.com/
Title: Blog

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/contactus/cc-faqs.html
Title: Help

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/fraudawareness/fraud-home.html
Title: Fraud Awareness

Search URL Search Domain Scan URL

URL: http://ir.westernunion.com/investor-relations/default.aspx
Title: Investor relations

Search URL Search Domain Scan URL

URL: http://corporate.westernunion.com/careers.html
Title: Careers

Search URL Search Domain Scan URL

URL: http://foundation.westernunion.com/
Title: Western Union Foundation

Search URL Search Domain Scan URL

URL: http://ir.westernunion.com/News/Press-Releases/default.aspx
Title: News

Search URL Search Domain Scan URL

URL: https://agentportal.westernunion.com/ap/agentregister.do?pid=usFtBecomeAgent
Title: Become an agent

Search URL Search Domain Scan URL

URL: http://payments.westernunion.com/
Title: Payment Solutions

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/intellectual-property.html
Title: Intellectual property

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/privacy-statement.html
Title: Online privacy statement

Search URL Search Domain Scan URL

URL: http://ir.westernunion.com/investor-relations/corporate-governance/state-licensing/default.aspx
Title: State licensing

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/file-complaint.html
Title: File a complaint

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/content/dam/wu/us-spanish/PDF/US-Subpoena.pdf
Title: Law Enforcement Subpoena Information

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/terms-conditions.html
Title: Terms & Conditions

Search URL Search Domain Scan URL

URL: https://www.westernunion.com/us/en/site-map.html
Title: Site map

Search URL Search Domain Scan URL

URL: https://sealserver.trustkeeper.net/cert.php?customerId=x4izAYufDNOhByusmKtmg3XmHPZqDb&size=105x54&style=normal

Search URL Search Domain Scan URL

URL: http://www.trustlogo.com/ttb_searcher/trustlogo?v_querytype=W&v_shortname=SC5&v_search=http://westernunion.com/Home&x=6&y=5

Search URL Search Domain Scan URL

URL: http://www.bbb.org/denver/business-reviews/money-orders-and-transfers/the-western-union-company-in-englewood-co-1988

Search URL Search Domain Scan URL

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

http://bit.do/dSCJq HTTP 301
http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/ HTTP 302
http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3a87f6b7c2088874&burlid=d001a6ea0b9cbe16 Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 27

http://westernunion.demdex.net/event?d_stuff=1&d_dst=1&d_rtbd=json&d_cts=1&d_cb=aam_tnt_cb HTTP 302
http://westernunion.demdex.net/firstevent?d_stuff=1&d_dst=1&d_rtbd=json&d_cts=1&d_cb=aam_tnt_cb

Request Chain 33

http://connect.facebook.net/en_US/fbevents.js HTTP 307
https://connect.facebook.net/en_US/fbevents.js

Request Chain 36

http://connect.facebook.net/signals/config/1131643220187654?v=2.8.0 HTTP 307
https://connect.facebook.net/signals/config/1131643220187654?v=2.8.0

45 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H/1.1

200
OK

Primary Request login-rp.html Show response
wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/
Redirect Chain

http://bit.do/dSCJq
http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/
http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3a87f6b7c2088874&burlid=d001a6ea0b9cbe16

35 KB
10 KB

247ms
123ms

Document
text/html

209.59.134.58
Liquid Web

General

Domain/Path	Expires	Name / Value
wmt.intasa.og.ao/	1970-01-21 02:53:16	Name: _abck Value: hlmn7ij5s3hxfcldzptb_1997
.intasa.og.ao/	1970-01-19 04:59:09	Name: _at_id.westernunion.production.ac6c Value: 1f3ec88127058293.1510077810.2.1510077810.1510077810.0.0.
wmt.intasa.og.ao/	1970-01-18 20:13:33	Name: _cc Value: AXe%2BNjZxJTcHupWp7bxEk5Ft
.intasa.og.ao/	1970-01-18 13:37:33	Name: mbox Value: check#true#1510077870\|session#1510077809136-569853#1510079670\|PC#1510077809136-569853.26_20#1517853810

Source	Level	URL Text
console-api	log	URL: http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3a87f6b7c2088874&burlid=d001a6ea0b9cbe16(Line 766) Message: Can not find SessionId
console-api	log	URL: http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3a87f6b7c2088874&burlid=d001a6ea0b9cbe16(Line 766) Message: ci,[object Object],run,http://www.cdn-net.com
console-api	log	URL: http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp.html?westernUnionOnline&bn=3a87f6b7c2088874&burlid=d001a6ea0b9cbe16(Line 794) Message: before defining url
console-api	log	URL: http://wmt.intasa.og.ao/jagsd9827gdo87qga8di2tu8oq7siuags28uqg/login-rp_files/WUAnalyticEventCapture.js(Line 225) Message: DtmStandard method error: Cannot read property 'replace' of undefined

wmt.intasa.og.ao Open in urlscan Pro 209.59.134.58 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page URL History Show full URLs

Detected technologies

Page Statistics

45 Requests

7 %HTTPS

38 %IPv6

11 Domains

14 Subdomains

13 IPs

4 Countries

401 kBTransfer

1592 kBSize

4 Cookies

24 Outgoing links

Page URL History

Redirected requests

45 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

wmt.intasa.og.ao Open in urlscan Pro
209.59.134.58 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

45
Requests

7 %
HTTPS

38 %
IPv6

11
Domains

14
Subdomains

13
IPs

4
Countries

401 kB
Transfer

1592 kB
Size

4
Cookies

45 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!