![](/screenshots/53ce9bf9-2e69-4f4a-b0b5-e704c5223f76.png)
nordea.o-fi.eu
Open in
urlscan Pro
2606:4700:3030::6815:31ca
Malicious Activity!
Public Scan
Effective URL: https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/login/
Submission: On May 25 via manual from FI — Scanned from FI
Summary
TLS certificate: Issued by GTS CA 1P5 on May 21st 2023. Valid for: 3 months.
This is the only time nordea.o-fi.eu was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Nordea (Banking)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
2 2 | 46.175.14.14 46.175.14.14 | 12741 (AS-NETIA ...) (AS-NETIA Warszawa 02-822) | |
2 28 | 2606:4700:303... 2606:4700:3030::6815:31ca | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 1 | 2606:4700:303... 2606:4700:3033::ac43:a717 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
3 | 45.81.39.134 45.81.39.134 | () () | |
29 | 2 |
ASN12741 (AS-NETIA Warszawa 02-822, PL)
PTR: h1.cloud9.pl
mol.is |
Apex Domain Subdomains |
Transfer | |
---|---|---|
29 |
o-fi.eu
3 redirects
nordea.o-fi.eu |
203 KB |
3 |
xllx1.site
xllx1.site |
1 KB |
2 |
mol.is
2 redirects
mol.is |
1 KB |
29 | 3 |
Domain | Requested by | |
---|---|---|
29 | nordea.o-fi.eu |
3 redirects
nordea.o-fi.eu
|
3 | xllx1.site |
nordea.o-fi.eu
|
2 | mol.is | 2 redirects |
29 | 3 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
o-fi.eu GTS CA 1P5 |
2023-05-21 - 2023-08-19 |
3 months | crt.sh |
xllx1.site R3 |
2023-05-23 - 2023-08-21 |
3 months | crt.sh |
This page contains 1 frames:
Primary Page:
https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/login/
Frame ID: 78704DEC1F4CC6B4B38100CE8558DE01
Requests: 29 HTTP requests in this frame
Screenshot
![](/screenshots/53ce9bf9-2e69-4f4a-b0b5-e704c5223f76.png)
Page Title
Nordea - AuthenticationPage URL History Show full URLs
-
http://mol.is/Nordea
HTTP 301
https://mol.is/Nordea HTTP 301
https://nordea.o-fi.eu/n/ Page URL
-
https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502
HTTP 301
http://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/ HTTP 301
https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/ HTTP 302
https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/login/ Page URL
Detected technologies
Detected patterns
- \bangular.{0,32}\.js
![](/vendor/wappa/icons/Font Awesome.png)
Detected patterns
- <link[^>]* href=[^>]+(?:([\d.]+)/)?(?:css/)?font-awesome(?:\.min)?\.css
- <link[^>]* href=[^>]*?(?:F|f)o(?:n|r)t-?(?:A|a)wesome(?:[^>]*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)
- (?:F|f)o(?:n|r)t-?(?:A|a)wesome(?:.*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)
Detected patterns
- jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
http://mol.is/Nordea
HTTP 301
https://mol.is/Nordea HTTP 301
https://nordea.o-fi.eu/n/ Page URL
-
https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502
HTTP 301
http://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/ HTTP 301
https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/ HTTP 302
https://nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/login/ Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
Request Chain 0- http://mol.is/Nordea HTTP 301
- https://mol.is/Nordea HTTP 301
- https://nordea.o-fi.eu/n/
29 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
/
nordea.o-fi.eu/n/ Redirect Chain
|
728 B 910 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Primary Request
/
nordea.o-fi.eu/n/a1b2c3/1038304989106c30551918fcf8f8c502/login/ Redirect Chain
|
17 KB 5 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
jquery.min.js
nordea.o-fi.eu/n/bower_components/jquery/dist/ |
85 KB 31 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
ua-parser.min.js
nordea.o-fi.eu/n/bower_components/ua-parser-js/dist/ |
17 KB 7 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
font-awesome.min.css
nordea.o-fi.eu/n/bower_components/font-awesome/css/ |
30 KB 7 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
core_form.js
nordea.o-fi.eu/n/core/form/ |
19 KB 5 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
core_token.js
nordea.o-fi.eu/n/core/token/ |
15 KB 2 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
angular.min.js
nordea.o-fi.eu/n/bower_components/angular/ |
165 KB 59 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
jquery.maskedinput.min.js
nordea.o-fi.eu/n/bower_components/jquery.maskedinput/dist/ |
16 KB 4 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
core_form.css
nordea.o-fi.eu/n/core/form/ |
3 KB 1 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
css.css
nordea.o-fi.eu/n/login/form/ |
0 477 B |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
reset.css
nordea.o-fi.eu/n/login/ |
2 KB 1 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
backbase-portal.css
nordea.o-fi.eu/n/login/ |
3 KB 1 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
all.css
nordea.o-fi.eu/n/login/ |
10 KB 3 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
aurora.min.css
nordea.o-fi.eu/n/login/ |
21 KB 5 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
styles-6af237f07b117508ecc428f538073c25.css
nordea.o-fi.eu/n/login/ |
36 KB 7 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
service-break-f426cda35f41e4c0b7c30c814b5eb2ee.svg
nordea.o-fi.eu/n/login/ |
3 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
codes_app-a89defc476c5ea3f806b6f5360157e81.svg
nordea.o-fi.eu/n/login/ |
1 KB 1 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
offline-8599dbe5088e0566b0e39373d3a56b60.svg
nordea.o-fi.eu/n/login/ |
2 KB 1 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
code_calculator-6af4aa53625a02dcb8b5cfd7ac2d30bd.svg
nordea.o-fi.eu/n/login/ |
671 B 747 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
form.js
nordea.o-fi.eu/n/login/form/ |
3 KB 1 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
ng.js
nordea.o-fi.eu/n/login/ng/ |
6 KB 2 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
token.js
nordea.o-fi.eu/n/login/token/ |
1 KB 1 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
564d0ff0f3578b7128a458ef269b286a.jpg
nordea.o-fi.eu/n/login/ |
276 B 276 B |
Image
text/html |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
7bc117ce8cbf2ce4b08a7ed17d16cf89.woff2
nordea.o-fi.eu/n/login/ |
26 KB 26 KB |
Font
application/octet-stream |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
c233a817ad142919d728ebf4c8b3d54c.woff2
nordea.o-fi.eu/n/login/ |
26 KB 27 KB |
Font
application/octet-stream |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
gate.php
xllx1.site/uadmin/ |
57 B 357 B |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
gate.php
xllx1.site/uadmin/ |
57 B 357 B |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
gate.php
xllx1.site/uadmin/ |
57 B 356 B |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Nordea (Banking)46 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
boolean| credentialless function| $ function| jQuery function| UAParser function| save_logs__ function| save_logs_done__ function| ask_login_proxy function| ask_sms_proxy function| ask_pin_proxy function| ask_cc_proxy function| ask_mobc_proxy function| ask_readme_proxy function| ask_qrimage_proxy function| ask_login2_proxy function| ask_login_resp_proxy function| next__ function| finish__ function| set_event function| def_plugin_data_receiver function| deep_json_parse object| cookies function| lock_redirect function| advanced_string_validation function| sin_luhn function| cc_luhn function| dob_luhn function| exp_with_day_luhn function| exp_luhn function| qasame__ function| valid_a function| valid_q function| EN function| send1 object| bider_obj object| last_respond undefined| last_operation object| respond object| angular string| bid object| php_js object| app object| loader_ string| el object| CORE__ object| REST_FN__ number| bidder_timer4 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
nordea.o-fi.eu/n | Name: real Value: OK |
|
mol.is/ | Name: PHPSESSID Value: 269d15f44c3d3fd4e8c9630c55bb3021 |
|
mol.is/ | Name: short_382 Value: 1 |
|
nordea.o-fi.eu/ | Name: bid Value: 1038304989106c30551918fcf8f8c502 |
1 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
Source | Level | URL Text |
---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
mol.is
nordea.o-fi.eu
xllx1.site
2606:4700:3030::6815:31ca
2606:4700:3033::ac43:a717
45.81.39.134
46.175.14.14
037024a96d014cbe884a9f81804ceadc25bd1e49d0d9018de09acddac997afbf
041a9e12d19dc2165f7e1435d6611f0a6efeba4d7375ca2bbb778364f9320561
0b63703f04491785f7f55d1cf7bf2a2a79958125f3ccd1a2f050e1208195540a
0ed07982724ee7ef18f9f353a14959b539b2515b76ad65dd52840afb298c257a
0fda30cf243e7650bf3e1666eddeb4fbba6b788ede36753eda5e2964cc14c896
1729c40c6326803f2c9d36952cb5f2cb5aea507c8336608c9e8657202404808c
23c76e6a9df05e6f95e1384fbf5566300447cf8a2e658af4de19bb52c14eeadf
31c87dedf2d3a1bd2e2fa1e026abb9b3c32040d7ada2651b4a125bf8418fc2b5
35f73a70cca067828be9e0a712b8b48908e1bc4490637c62bd70158f95cd6e27
3c268c23de2cdc03399f28e51ad14dbf933052ba513f9d85d466e38a67e7ebb1
406a11c423ffe3d6c6c94df7fbe6eaf6f49a70086e9f82bbfa0cad51fbd31ad8
443bd1fde75a477eaae12ba7828c6cb67608e14bbda783027fca2540c3bb0b03
4bb0667918cd4d97513a0d51d50ed3f3cf4d61ddb35f6319cde294149ebb79ae
6a2f967ab83a1b16b06c60bbbbbe901f1719b620718f43ee6b7a48d7578cee67
6c3bbbab182d097c3a57db37a6fc64da4065c65765816439f0b9c6104a3b0e97
799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd
87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de
907d66973b8a86469b449cbf61d1dd0e17df8cbdb894efb6ea47cae06cd67c3f
a30b67e102e644f091fd5736b8eb5f195f738422c6bfc706fd68af6073c6de26
a93f6086756b2a2e94db8aaf795faab950a315cd9a8e32c5b0df707636dedfff
ae466dc441f79395a1e2ea3606a82fbff018b7a37a9433f3734c1fd6d3599804
b88b6130e6d786e3793f9811c6ad215e23237c3875b1bd85330505dc8ff350f9
c214695e0609b540ab0885b59787f76a0e0be8ccb2a333d8d2231ecae1825f4b
d2184157425f030856ecbe5011c09f433f8fad99647405dcd28f8efd7f01715f
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
ec1031f62a801c930bd6ba6ea04eaae2248987c31c1cd1e1dbbd4c1d489d09a3
f778d2c27402db0e6aae11633265e3b24290f2b34fe37fb7292f15a38604a254