www.security.20-90-74-227.cprapid.com
Open in
urlscan Pro
20.90.74.227
Malicious Activity!
Public Scan
Submission: On November 21 via manual from NO — Scanned from NO
Summary
TLS certificate: Issued by ZeroSSL RSA Domain Secure Site CA on November 16th 2022. Valid for: 3 months.
This is the only time www.security.20-90-74-227.cprapid.com was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Nordea (Banking)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
3 | 20.90.74.227 20.90.74.227 | 8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK) | |
2 | 104.22.74.171 104.22.74.171 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
2 | 51.161.15.92 51.161.15.92 | 16276 (OVH) (OVH) | |
1 | 104.18.36.173 104.18.36.173 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
7 | 67.202.105.31 67.202.105.31 | 32748 (STEADFAST) (STEADFAST) | |
1 | 67.202.105.32 67.202.105.32 | 32748 (STEADFAST) (STEADFAST) | |
16 | 7 |
ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US)
www.security.20-90-74-227.cprapid.com |
ASN13335 (CLOUDFLARENET, US)
widgets.amung.us | |
whos.amung.us |
ASN16276 (OVH, FR)
PTR: ns570935.ip-51-161-15.net
t.dtscout.com |
ASN32748 (STEADFAST, US)
PTR: ip31.67-202-105.static.steadfastdns.net
ic.tynt.com |
ASN32748 (STEADFAST, US)
PTR: ip32.67-202-105.static.steadfastdns.net
de.tynt.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
9 |
tynt.com
cdn.tynt.com — Cisco Umbrella Rank: 10119 ic.tynt.com — Cisco Umbrella Rank: 6453 de.tynt.com — Cisco Umbrella Rank: 1451 |
9 KB |
3 |
cprapid.com
www.security.20-90-74-227.cprapid.com |
303 KB |
2 |
dtscout.com
t.dtscout.com — Cisco Umbrella Rank: 14449 |
3 KB |
2 |
amung.us
widgets.amung.us — Cisco Umbrella Rank: 25156 whos.amung.us — Cisco Umbrella Rank: 16679 |
4 KB |
16 | 4 |
Domain | Requested by | |
---|---|---|
7 | ic.tynt.com |
www.security.20-90-74-227.cprapid.com
|
3 | www.security.20-90-74-227.cprapid.com |
www.security.20-90-74-227.cprapid.com
|
2 | t.dtscout.com |
widgets.amung.us
t.dtscout.com |
1 | de.tynt.com |
cdn.tynt.com
|
1 | cdn.tynt.com |
widgets.amung.us
|
1 | whos.amung.us |
widgets.amung.us
|
1 | widgets.amung.us |
www.security.20-90-74-227.cprapid.com
|
16 | 7 |
This site contains links to these domains. Also see Links.
Domain |
---|
www.nemid.nu |
www.medarbejdersignatur.dk |
Subject Issuer | Validity | Valid | |
---|---|---|---|
www.security.20-90-74-227.cprapid.com ZeroSSL RSA Domain Secure Site CA |
2022-11-16 - 2023-02-14 |
3 months | crt.sh |
*.amung.us Sectigo RSA Domain Validation Secure Server CA |
2022-05-18 - 2023-06-17 |
a year | crt.sh |
*.dtscout.com Sectigo RSA Domain Validation Secure Server CA |
2021-10-28 - 2022-11-27 |
a year | crt.sh |
*.tynt.com Sectigo RSA Domain Validation Secure Server CA |
2022-09-07 - 2023-09-30 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://www.security.20-90-74-227.cprapid.com/nordea_no/pin.php
Frame ID: A925AA45FA0D4EEC20D7F393592277B5
Requests: 17 HTTP requests in this frame
2 Outgoing links
These are links going to different origins than the main page.
Title: nemid.nu/adgangskode
Search URL Search Domain Scan URL
Title: medarbejdersignatur.dk/adgangskode
Search URL Search Domain Scan URL
Redirected requests
There were HTTP redirect chains for the following requests:
16 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
Primary Request
pin.php
www.security.20-90-74-227.cprapid.com/nordea_no/ |
186 KB 186 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
header.png
www.security.20-90-74-227.cprapid.com/nordea_no/ |
6 KB 6 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
pin2.png
www.security.20-90-74-227.cprapid.com/nordea_no/ |
110 KB 111 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
small.js
widgets.amung.us/ |
8 KB 4 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
/
t.dtscout.com/i/ |
2 KB 3 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
/
whos.amung.us/pingjs/ |
25 B 126 B |
Script
text/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
tc.js
cdn.tynt.com/ |
17 KB 7 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
439 B 0 |
Image
image/gif |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
/
t.dtscout.com/pv/ |
51 B 319 B |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
ic.tynt.com/b/ |
0 227 B |
Image
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
v2
de.tynt.com/deb/ |
4 B 260 B |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
ic.tynt.com/b/ |
0 227 B |
Image
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
ic.tynt.com/b/ |
0 227 B |
Image
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
ic.tynt.com/b/ |
0 227 B |
Image
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
ic.tynt.com/b/ |
0 227 B |
Image
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
ic.tynt.com/b/ |
0 227 B |
Image
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
ic.tynt.com/b/ |
0 227 B |
Image
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Nordea (Banking)20 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| _wau object| WAU_ren function| WAU_small function| WAU_small_request function| WAU_r_s function| WAU_insert function| WAU_legacy_b function| WAU_la function| WAU_addCommas function| WAU_lrd function| WAU_lrs function| WAU_cps function| docReady object| x string| x1 string| x2 object| Tynt object| _33Across function| __uspapi object| _dtspv4 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
.dtscout.com/ | Name: m Value: 1 |
|
.dtscout.com/ | Name: b Value: 1 |
|
.dtscout.com/ | Name: oa Value: 1 |
|
.dtscout.com/ | Name: df Value: 1669016006 |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
cdn.tynt.com
de.tynt.com
ic.tynt.com
t.dtscout.com
whos.amung.us
widgets.amung.us
www.security.20-90-74-227.cprapid.com
104.18.36.173
104.22.74.171
20.90.74.227
51.161.15.92
67.202.105.31
67.202.105.32
02f902a7e80376db4243697af221cf3804e90f0b20aff4301277549717ee09f1
2052a227c361a7e99ea70f5bdcf54cd9e6c6b493dd4d20b73b376d94ce0dc0d1
22719b20cf37255859aedb4e793edeb5c62a70ea121cfb1fff313102a31ed3ae
3e9c8e5dcf3cbff9e1b7211551a31fe388f1b8e607fd78a0a34855be65da721c
4d543e0779521eeb35eb9626add4d733d07726d70b6e8ea33fd0309fbbfdd993
937458495c30f567aeafe715f0164bfe061ab17aee4a34aabbf191f69a6d32ae
ad340a01e3d29a0f1af91b6c80e49d436f20759cb07a2a607aebcf2908eb23a6
c495338846e7cb1b0e33b4cf0e38e270cc2fd5981fc8ba1d4646829228851007
d21021784cda31eeae5c8295e047a14bda6ed5a9b5963fca9e7ceb398a9c9179
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
f6d82f567d08ec91a1b6ef0d4abf21be7a2d3dbc0a41c122584ea3536755b3ac