www.thefollowspot.cyou Open in urlscan Pro
91.212.150.201 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

URL:
http://www.thefollowspot.cyou/c.html
Submission: On December 22 via automatic, source openphish (December 22nd 2020, 1:23:49 pm UTC)

Summary HTTP 9 Redirects Behaviour Indicators

Summary

This website contacted 3 IPs in 2 countries across 2 domains to perform 9 HTTP transactions. The main IP is 91.212.150.201, located in Russian Federation and belongs to NFORCE, NL. The main domain is www.thefollowspot.cyou.

This is the only time www.thefollowspot.cyou was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: First BanCorp (Banking)

Domain & IP information

	IP Address	AS Autonomous System
3	91.212.150.201 91.212.150.201	43350 (NFORCE) (NFORCE)
1	24.139.99.67 24.139.99.67	14638 (LCPRL) (LCPRL)
9	3

3 91.212.150.201 (Russian Federation)

ASN43350 (NFORCE, NL)

www.thefollowspot.cyou	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 24.139.99.67 (Dorado, Puerto Rico)

ASN14638 (LCPRL, US)

digitalbanking.1firstbank.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
3	thefollowspot.cyou www.thefollowspot.cyou	1 MB
1	1firstbank.com digitalbanking.1firstbank.com	4 KB
9	2

	Domain	Requested by
3	www.thefollowspot.cyou	www.thefollowspot.cyou
1	digitalbanking.1firstbank.com	www.thefollowspot.cyou
9	2

This site contains no links.

Subject Issuer	Validity	Valid
digitalbanking.1firstbank.com Network Solutions OV Server CA 2	`2020-04-13` - `2021-06-26`	a year	crt.sh

This page contains 1 frames:

Primary Page: http://www.thefollowspot.cyou/c.html
Frame ID: FFC841F21B06DAA4A16AD61B1E7DB712
Requests: 11 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Detected technologies

Apache (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /(?:Apache(?:$|\/([\d.]+)|[^/-])|(?:^|\b)HTTPD)/i

Page Statistics

9
Requests

11 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

3
IPs

2
Countries

1057 kB
Transfer

1177 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

9 HTTP transactions
2 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	Primary Request c.html Show response www.thefollowspot.cyou/	974 KB 974 KB	72ms 20ms	Document text/html	91.212.150.201 NFORCE
General Check archive.org Show headers Download Go to Full URL http://www.thefollowspot.cyou/c.html Protocol HTTP/1.1 Server 91.212.150.201 , Russian Federation, ASN43350 (NFORCE, NL), Reverse DNS Software Apache / Resource Hash `20bb70cf7333b56663eb5100e60bda1b5df09d6fe5f4d5570378ea1c32341c7a` Request headers Host www.thefollowspot.cyou Connection keep-alive Pragma no-cache Cache-Control no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding gzip, deflate Accept-Language en-US Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Date Tue, 22 Dec 2020 13:20:37 GMT Server Apache Last-Modified Sun, 09 Feb 2020 10:35:10 GMT Accept-Ranges bytes Content-Length 997468 Keep-Alive timeout=5, max=100 Connection Keep-Alive Content-Type text/html
GET H/1.1	200 OK	index.css www.thefollowspot.cyou/files/	77 KB 77 KB	34ms 20ms	Stylesheet text/css	91.212.150.201 NFORCE
General Check archive.org Show headers Download Go to Full URL http://www.thefollowspot.cyou/files/index.css Requested by Host: www.thefollowspot.cyou URL: http://www.thefollowspot.cyou/c.html Protocol HTTP/1.1 Server 91.212.150.201 , Russian Federation, ASN43350 (NFORCE, NL), Reverse DNS Software Apache / Resource Hash `ff4dc3a2e11c43149fa86a09ad8d277d376cec3fbfe09238b27d6c7024c1b963` Request headers Referer http://www.thefollowspot.cyou/c.html User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Date Tue, 22 Dec 2020 13:20:37 GMT Last-Modified Fri, 07 Feb 2020 08:29:56 GMT Server Apache Content-Type text/css Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 78591
GET H/1.1	200 OK	001.png www.thefollowspot.cyou/files/	823 B 1 KB	17ms 17ms	Image image/png	91.212.150.201 NFORCE
General Check archive.org Show headers Download Go to Show image Full URL http://www.thefollowspot.cyou/files/001.png Requested by Host: www.thefollowspot.cyou URL: http://www.thefollowspot.cyou/c.html Protocol HTTP/1.1 Server 91.212.150.201 , Russian Federation, ASN43350 (NFORCE, NL), Reverse DNS Software Apache / Resource Hash `443d47d763d3a764fd983f40ca73b15ac84591adbfde9e69e99555db39d271bd` Request headers Referer http://www.thefollowspot.cyou/c.html User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Date Tue, 22 Dec 2020 13:20:37 GMT Last-Modified Fri, 07 Feb 2020 08:29:54 GMT Server Apache Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=99 Content-Length 823
GET H/1.1	200 OK	logo_positivo_login.png digitalbanking.1firstbank.com/Resources/images/	4 KB 4 KB	831ms 175ms	Image image/png	24.139.99.67 LCPRL
General Check archive.org Show headers Download Go to Show image Full URL https://digitalbanking.1firstbank.com/Resources/images/logo_positivo_login.png Requested by Host: www.thefollowspot.cyou URL: http://www.thefollowspot.cyou/c.html Protocol HTTP/1.1 Security TLS 1.3, , AES_256_GCM Server 24.139.99.67 Dorado, Puerto Rico, ASN14638 (LCPRL, US), Reverse DNS Software Microsoft-IIS/8.5 / ASP.NET Resource Hash `603c1e2294dbcbe88ddc591d9821a240265908ca32e76ec55166afee2a6a33eb` Request headers Referer http://www.thefollowspot.cyou/c.html User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Date Tue, 22 Dec 2020 13:23:32 GMT Last-Modified Mon, 05 Nov 2018 04:24:58 GMT Server Microsoft-IIS/8.5 X-Powered-By ASP.NET ETag "0c9a482bf74d41:0" Content-Type image/png Accept-Ranges bytes Content-Length 4310
GET		din-regular-webfont.woff2 digitalbanking.1firstbank.com/Resources/Fonts/	0 0

GET		streamline.woff digitalbanking.1firstbank.com/Resources/Fonts/	0 0

GET DATA	200 OK	truncated /	62 KB 0		Image image/jpeg
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `a32545b8519522f29580e17eeceb80a416e6664b0149d28dc7916183846a5ed5` Request headers Referer http://www.thefollowspot.cyou/c.html User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Content-Type image/jpeg
GET DATA	200 OK	truncated /	60 KB 0		Image image/jpeg
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `0272a171a6759e8079ce7bb601ab102d5cd74d66e6a59d11c933556ef3873c93` Request headers Referer http://www.thefollowspot.cyou/c.html User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Content-Type image/jpeg
GET		din-regular.ttf digitalbanking.1firstbank.com/Resources/Fonts/	0 0

GET		streamline.ttf digitalbanking.1firstbank.com/Resources/Fonts/	0 0

GET		din-regular.woff digitalbanking.1firstbank.com/Resources/Fonts/	0 0

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain: digitalbanking.1firstbank.com
URL: https://digitalbanking.1firstbank.com/Resources/Fonts/din-regular-webfont.woff2

Domain: digitalbanking.1firstbank.com
URL: https://digitalbanking.1firstbank.com/Resources/Fonts/streamline.woff?19c5cw

Domain: digitalbanking.1firstbank.com
URL: https://digitalbanking.1firstbank.com/Resources/Fonts/din-regular.ttf

Domain: digitalbanking.1firstbank.com
URL: https://digitalbanking.1firstbank.com/Resources/Fonts/streamline.ttf?19c5cw

Domain: digitalbanking.1firstbank.com
URL: https://digitalbanking.1firstbank.com/Resources/Fonts/din-regular.woff

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: First BanCorp (Banking)

5 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

digitalbanking.1firstbank.com
www.thefollowspot.cyou
digitalbanking.1firstbank.com
24.139.99.67
91.212.150.201
0272a171a6759e8079ce7bb601ab102d5cd74d66e6a59d11c933556ef3873c93
20bb70cf7333b56663eb5100e60bda1b5df09d6fe5f4d5570378ea1c32341c7a
443d47d763d3a764fd983f40ca73b15ac84591adbfde9e69e99555db39d271bd
603c1e2294dbcbe88ddc591d9821a240265908ca32e76ec55166afee2a6a33eb
a32545b8519522f29580e17eeceb80a416e6664b0149d28dc7916183846a5ed5
ff4dc3a2e11c43149fa86a09ad8d277d376cec3fbfe09238b27d6c7024c1b963

www.thefollowspot.cyou Open in urlscan Pro 91.212.150.201 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Detected technologies

Page Statistics

9 Requests

11 %HTTPS

0 %IPv6

2 Domains

2 Subdomains

3 IPs

2 Countries

1057 kBTransfer

1177 kBSize

0 Cookies

0 Outgoing links

Redirected requests

9 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 2 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Failed requests

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

5 JavaScript Global Variables

0 Cookies

Indicators

www.thefollowspot.cyou Open in urlscan Pro
91.212.150.201 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

9
Requests

11 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

3
IPs

2
Countries

1057 kB
Transfer

1177 kB
Size

0
Cookies

9 HTTP transactions
2 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!