Submitted URL: https://bit.ly/3VFZesT?181601
Effective URL: https://l.wl.co/l?u=https://smarturl.it/g9jkyv
Submission Tags: phishing
Submission: On October 21 via api from US — Scanned from DE

Summary

This website contacted 2 IPs in 4 countries across 7 domains to perform 4 HTTP transactions. The main IP is 2a03:2880:f01c:800e:face:b00c:0:2, located in Frankfurt am Main, Germany and belongs to FACEBOOK, US. The main domain is l.wl.co. The Cisco Umbrella rank of the primary domain is 359789.
TLS certificate: Issued by DigiCert SHA2 High Assurance Server CA on July 30th 2022. Valid for: 3 months.
This is the only time l.wl.co was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

IP Address AS Autonomous System
1 1 67.199.248.10 396982 (GOOGLE-CL...)
1 1 104.244.42.69 13414 (TWITTER)
3 2a03:2880:f01... 32934 (FACEBOOK)
1 1 54.183.131.91 16509 (AMAZON-02)
1 1 34.243.9.140 16509 (AMAZON-02)
1 1 148.251.234.93 24940 (HETZNER-AS)
1 176.111.49.48 24703 (UN-UKRAIN...)
4 2
Apex Domain
Subdomains
Transfer
3 wl.co
l.wl.co — Cisco Umbrella Rank: 359789
2 KB
1 hinoki.com.ua
hinoki.com.ua
145 B
1 iplis.ru
iplis.ru
503 B
1 smarturl.it
smarturl.it — Cisco Umbrella Rank: 181891
696 B
1 ow.ly
ow.ly — Cisco Umbrella Rank: 80455
398 B
1 t.co
t.co — Cisco Umbrella Rank: 483
359 B
1 bit.ly
bit.ly — Cisco Umbrella Rank: 4998
227 B
4 7
Domain Requested by
3 l.wl.co l.wl.co
1 hinoki.com.ua l.wl.co
1 iplis.ru 1 redirects
1 smarturl.it 1 redirects
1 ow.ly 1 redirects
1 t.co 1 redirects
1 bit.ly 1 redirects
4 7

This site contains no links.

Subject Issuer Validity Valid
*.wl.co
DigiCert SHA2 High Assurance Server CA
2022-07-30 -
2022-10-28
3 months crt.sh
hinoki.com.ua
R3
2022-09-12 -
2022-12-11
3 months crt.sh

This page contains 1 frames:

Frame: https://hinoki.com.ua/php/index.php?login
Frame ID: 5F81D3196F8729CE89257313CAC91B7D
Requests: 4 HTTP requests in this frame

Screenshot


Page URL History Show full URLs

  1. https://bit.ly/3VFZesT?181601 HTTP 301
    https://t.co/dAny5QU7hp HTTP 301
    https://l.wl.co/l?u=http://ow.ly/lozt50LfmBC Page URL
  2. http://l.wl.co/l/?u=http%3A%2F%2Fow.ly%2Flozt50LfmBC&e=AT3NstuP6S8lS89Y1Uhjujs9cIjroraMLmi7... Page URL
  3. http://ow.ly/lozt50LfmBC HTTP 301
    https://l.wl.co/l?u=https://smarturl.it/g9jkyv Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • \.php(?:$|\?)

Page Statistics

4
Requests

75 %
HTTPS

14 %
IPv6

7
Domains

7
Subdomains

2
IPs

4
Countries

2 kB
Transfer

1 kB
Size

7
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://bit.ly/3VFZesT?181601 HTTP 301
    https://t.co/dAny5QU7hp HTTP 301
    https://l.wl.co/l?u=http://ow.ly/lozt50LfmBC Page URL
  2. http://l.wl.co/l/?u=http%3A%2F%2Fow.ly%2Flozt50LfmBC&e=AT3NstuP6S8lS89Y1Uhjujs9cIjroraMLmi7Q6-dY9zxfRi11lM4SYP0Yg3AlOLLsJ4VDs5CM6fkb7uV1YtUAIEqwCto4KONkP32TBh9N4ty5vZyEajMdIeGloIN5ChW_xq3lDMhj-o Page URL
  3. http://ow.ly/lozt50LfmBC HTTP 301
    https://l.wl.co/l?u=https://smarturl.it/g9jkyv Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0
  • https://bit.ly/3VFZesT?181601 HTTP 301
  • https://t.co/dAny5QU7hp HTTP 301
  • https://l.wl.co/l?u=http://ow.ly/lozt50LfmBC
Request Chain 2
  • https://smarturl.it/g9jkyv HTTP 301
  • https://iplis.ru/2tBqn4 HTTP 302
  • https://hinoki.com.ua/php/index.php?login

4 HTTP transactions

Resource
Path
Size
x-fer
Type
MIME-Type
l
l.wl.co/
Redirect Chain
  • https://bit.ly/3VFZesT?181601
  • https://t.co/dAny5QU7hp
  • https://l.wl.co/l?u=http://ow.ly/lozt50LfmBC
368 B
889 B
Document
General
Full URL
https://l.wl.co/l?u=http://ow.ly/lozt50LfmBC
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:800e:face:b00c:0:2 Frankfurt am Main, Germany, ASN32934 (FACEBOOK, US),
Reverse DNS
Software
/
Resource Hash
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Upgrade-Insecure-Requests
1
User-Agent
ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)
accept-language
de-DE,de;q=0.9

Response headers

alt-svc
h3=":443"; ma=86400
cache-control
private, no-cache, no-store, must-revalidate
content-encoding
br
content-type
text/html; charset="utf-8"
cross-origin-opener-policy
same-origin-allow-popups
cross-origin-resource-policy
rollout
date
Fri, 21 Oct 2022 14:06:50 GMT
document-policy
force-load-at-top
expires
Sat, 01 Jan 2000 00:00:00 GMT
pragma
no-cache
refresh
1;URL=http://l.wl.co/l/?u=http%3A%2F%2Fow.ly%2Flozt50LfmBC&e=AT3NstuP6S8lS89Y1Uhjujs9cIjroraMLmi7Q6-dY9zxfRi11lM4SYP0Yg3AlOLLsJ4VDs5CM6fkb7uV1YtUAIEqwCto4KONkP32TBh9N4ty5vZyEajMdIeGloIN5ChW_xq3lDMhj-o
vary
Accept-Encoding
x-content-type-options
nosniff
x-fb-debug
KCxZTeDmKucMqF0feT7TFkaBPCV99g5lL1bMxv+FUVd86hWkoqaHw55PrQBZkIneOCUaOKe74BVS/8GQvNWAxQ==
x-frame-options
DENY
x-robots-tag
noindex, nofollow
x-xss-protection
0

Redirect headers

cache-control
private,max-age=300
content-length
0
date
Fri, 21 Oct 2022 14:06:50 GMT
expires
Fri, 21 Oct 2022 14:11:50 GMT
location
https://l.wl.co/l?u=http://ow.ly/lozt50LfmBC
perf
7626143928
server
tsa_o
strict-transport-security
max-age=0
vary
Origin
x-connection-hash
2eb8a80118ef090100448818766045ea0c1a1d31d73a2d82bab06b03921e7b2c
x-response-time
119
x-transaction-id
76f789a51005fa74
/
l.wl.co/l/
177 B
861 B
Document
General
Full URL
http://l.wl.co/l/?u=http%3A%2F%2Fow.ly%2Flozt50LfmBC&e=AT3NstuP6S8lS89Y1Uhjujs9cIjroraMLmi7Q6-dY9zxfRi11lM4SYP0Yg3AlOLLsJ4VDs5CM6fkb7uV1YtUAIEqwCto4KONkP32TBh9N4ty5vZyEajMdIeGloIN5ChW_xq3lDMhj-o
Requested by
Host: l.wl.co
URL: https://l.wl.co/l?u=http://ow.ly/lozt50LfmBC
Protocol
HTTP/1.1
Server
2a03:2880:f01c:800e:face:b00c:0:2 Frankfurt am Main, Germany, ASN32934 (FACEBOOK, US),
Reverse DNS
Software
/
Resource Hash
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Upgrade-Insecure-Requests
1
User-Agent
ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)
accept-language
de-DE,de;q=0.9

Response headers

Alt-Svc
h3=":443"; ma=86400
Cache-Control
private, no-cache, no-store, must-revalidate
Connection
keep-alive
Content-Encoding
gzip
Content-Type
text/html; charset="utf-8"
Date
Fri, 21 Oct 2022 14:06:50 GMT
Expires
Sat, 01 Jan 2000 00:00:00 GMT
Pragma
no-cache
Refresh
1;URL=http://ow.ly/lozt50LfmBC
Transfer-Encoding
chunked
Vary
Accept-Encoding
X-Content-Type-Options
nosniff
X-FB-Debug
8jj+htKhAGXf05vaMqKm5c+QXoLHRp20kaDOdn8rxLTgCfVLOs7z2hCbp3y7VTGUIJ8p/FJN60g7y04gC6HAlw==
X-Frame-Options
DENY
X-XSS-Protection
0
cross-origin-resource-policy
rollout
document-policy
force-load-at-top
x-robots-tag
noindex, nofollow
Primary Request l
l.wl.co/
Redirect Chain
  • http://ow.ly/lozt50LfmBC
  • https://l.wl.co/l?u=https://smarturl.it/g9jkyv
179 B
301 B
Document
General
Full URL
https://l.wl.co/l?u=https://smarturl.it/g9jkyv
Requested by
Host: l.wl.co
URL: http://l.wl.co/l/?u=http%3A%2F%2Fow.ly%2Flozt50LfmBC&e=AT3NstuP6S8lS89Y1Uhjujs9cIjroraMLmi7Q6-dY9zxfRi11lM4SYP0Yg3AlOLLsJ4VDs5CM6fkb7uV1YtUAIEqwCto4KONkP32TBh9N4ty5vZyEajMdIeGloIN5ChW_xq3lDMhj-o
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:800e:face:b00c:0:2 Frankfurt am Main, Germany, ASN32934 (FACEBOOK, US),
Reverse DNS
Software
/
Resource Hash
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Referer
http://l.wl.co/l/?u=http%3A%2F%2Fow.ly%2Flozt50LfmBC&e=AT3NstuP6S8lS89Y1Uhjujs9cIjroraMLmi7Q6-dY9zxfRi11lM4SYP0Yg3AlOLLsJ4VDs5CM6fkb7uV1YtUAIEqwCto4KONkP32TBh9N4ty5vZyEajMdIeGloIN5ChW_xq3lDMhj-o
Upgrade-Insecure-Requests
1
User-Agent
ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)
accept-language
de-DE,de;q=0.9

Response headers

alt-svc
h3=":443"; ma=86400
cache-control
private, no-cache, no-store, must-revalidate
content-encoding
br
content-type
text/html; charset="utf-8"
cross-origin-opener-policy
same-origin-allow-popups
cross-origin-resource-policy
rollout
date
Fri, 21 Oct 2022 14:06:51 GMT
document-policy
force-load-at-top
expires
Sat, 01 Jan 2000 00:00:00 GMT
pragma
no-cache
priority
u=3,i
refresh
1;URL=https://smarturl.it/g9jkyv
vary
Accept-Encoding
x-content-type-options
nosniff
x-fb-debug
II/RHORZhoDELdCWUz1vpA026S2TKXonFC6ABvvU7EXj10nhAEH63JExERgj0T3s2rvA20sK4cYuIAonqkCeCQ==
x-frame-options
DENY
x-robots-tag
noindex, nofollow
x-xss-protection
0

Redirect headers

Connection
close
Content-Length
0
Date
Fri, 21 Oct 2022 14:06:50 GMT
Location
https://l.wl.co/l?u=https://smarturl.it/g9jkyv
Referrer-Policy
origin-when-cross-origin, strict-origin-when-cross-origin
X-Content-Type-Options
nosniff
X-Frame-Options
DENY
X-Permitted-Cross-Domain-Policies
master-only
X-Pool
owly_web
X-XSS-Protection
1; mode=block
index.php
hinoki.com.ua/php/
Redirect Chain
  • https://smarturl.it/g9jkyv
  • https://iplis.ru/2tBqn4
  • https://hinoki.com.ua/php/index.php?login
0
145 B
Document
General
Full URL
https://hinoki.com.ua/php/index.php?login
Requested by
Host: l.wl.co
URL: https://l.wl.co/l?u=https://smarturl.it/g9jkyv
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
176.111.49.48 Kyiv, Ukraine, ASN24703 (UN-UKRAINE-AS Kiev, Ukraine, UA),
Reverse DNS
isp29.s-host.net
Software
nginx/1.20.2 / PHP/7.0.33
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Referer
https://l.wl.co/l?u=https://smarturl.it/g9jkyv
Upgrade-Insecure-Requests
1
User-Agent
ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)
accept-language
de-DE,de;q=0.9

Response headers

cache-control
max-age=0, private, no-cache, no-store, must-revalidate
content-length
0
content-type
text/html; charset=UTF-8
date
Fri, 21 Oct 2022 14:06:52 GMT
server
nginx/1.20.2
x-powered-by
PHP/7.0.33

Redirect headers

cache-control
no-store, no-cache, must-revalidate
content-security-policy
img-src https: data:; upgrade-insecure-requests
content-type
text/html; charset=UTF-8
date
Fri, 21 Oct 2022 14:06:51 GMT
expires
Fri, 21 Oct 2022 14:06:51 +0000
location
https://hinoki.com.ua/php/index.php?login
server
nginx
strict-transport-security
max-age=604800 max-age=31536000
x-frame-options
SAMEORIGIN

Verdicts & Comments Add Verdict or Comment

9 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| onbeforeinput object| oncontextlost object| oncontextrestored function| structuredClone object| launchQueue object| onbeforematch function| getScreenDetails function| queryLocalFonts object| navigation

7 Cookies

Domain/Path Name / Value
.bit.ly/ Name: _bit
Value: m9le6O-7c6fbae3b3fb492f05-00c
.t.co/ Name: muc
Value: 413de7c6-53b8-4d37-9e8f-d72fe06ac8ca
smarturl.it/ Name: AWSALB
Value: LJxH3Cqrtt22Vqp94wplcjL59zTibOFI2PQhsh4d3HEaHODLubpiU3iSC5MHUe0mKNIvpZiZsuR7Ufed6a9OwjpXPekvlfl6vcn8EUd+NFTNGWsoOFyKBQIzc2gZ
smarturl.it/ Name: requester_id
Value: 1583459804650229763
smarturl.it/ Name: last_click_g9jkyv
Value: 1666361211346
iplis.ru/ Name: clhf03028ja
Value: 84.19.175.183
iplis.ru/ Name: 407506801410576311
Value: 3

1 Console Messages

Source Level URL
Text
network error URL: https://hinoki.com.ua/php/index.php?login
Message:
Failed to load resource: the server responded with a status of 403 ()

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header Value
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

bit.ly
hinoki.com.ua
iplis.ru
l.wl.co
ow.ly
smarturl.it
t.co
104.244.42.69
148.251.234.93
176.111.49.48
2a03:2880:f01c:800e:face:b00c:0:2
34.243.9.140
54.183.131.91
67.199.248.10
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855