urlscan.io logo urlscan.io
SecurityTrails logo

irs.treasury.gov Open in urlscan Pro
2600:141b:b000:291::22f2  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
Submitted URL: https://outreach.senate.gov/iqextranet/iqClickTrk.aspx?&cid=SenManchin&crop=19707.238390656.19747730.15590367&report_id=&red...
Effective URL: https://irs.treasury.gov/freetaxprep/
Submission: On February 06 via api from US — Scanned from DE
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 4 IPs in 2 countries across 3 domains to perform 8 HTTP transactions. The main IP is 2600:141b:b000:291::22f2, located in Newark, United States and belongs to AKAMAI-ASN1, NL. The main domain is irs.treasury.gov. The Cisco Umbrella rank of the primary domain is 936731.
TLS certificate: Issued by GeoTrust RSA CA 2018 on April 6th 2023. Valid for: a year.
This is the only time irs.treasury.gov was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: IRS (Government)

Domain & IP information

IP Address AS Autonomous System
1 1 208.95.153.33 14492 (DATAPIPE)
5 2600:141b:b00... 20940 (AKAMAI-ASN1)
1 2a00:1450:400... 15169 (GOOGLE)
2 2a00:1450:400... 15169 (GOOGLE)
8 4
Apex Domain
Subdomains		 Transfer
5 treasury.gov
irs.treasury.gov — Cisco Umbrella Rank: 936731
17 KB
3 googleapis.com
ajax.googleapis.com — Cisco Umbrella Rank: 369
maps.googleapis.com — Cisco Umbrella Rank: 362
221 KB
1 senate.gov
outreach.senate.gov — Cisco Umbrella Rank: 412200
722 B
8 3
Domain Requested by
5 irs.treasury.gov irs.treasury.gov
2 maps.googleapis.com irs.treasury.gov
maps.googleapis.com
1 ajax.googleapis.com irs.treasury.gov
1 outreach.senate.gov 1 redirects
8 4

This site contains links to these domains. Also see Links.

Domain
www.irs.gov
Subject Issuer Validity Valid
www.treasury.gov
GeoTrust RSA CA 2018		 2023-04-06 -
2024-04-06		 a year crt.sh
upload.video.google.com
GTS CA 1C3		 2024-01-09 -
2024-04-02		 3 months crt.sh

This page contains 1 frames:

Primary Page: https://irs.treasury.gov/freetaxprep/
Frame ID: 2A991C7BBDEF0EE5FDFF86D93EC58706
Requests: 10 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

Get Free Tax Prep Help

Page URL History Show full URLs

  1. https://outreach.senate.gov/iqextranet/iqClickTrk.aspx?&cid=SenManchin&crop=19707.238390656.19747730.155... HTTP 302
    https://irs.treasury.gov/freetaxprep/ Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • //maps\.google(?:apis)?\.com/maps/api/js
Overall confidence: 100%
Detected patterns
Overall confidence: 100%
Detected patterns
  • /([\d.]+)/jquery(?:\.min)?\.js
  • jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?

Page Statistics

8
Requests

100 %
HTTPS

75 %
IPv6

3
Domains

4
Subdomains

4
IPs

2
Countries

238 kB
Transfer

383 kB
Size

2
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://outreach.senate.gov/iqextranet/iqClickTrk.aspx?&cid=SenManchin&crop=19707.238390656.19747730.15590367&report_id=&redirect=https%3a%2f%2firs.treasury.gov%2ffreetaxprep%2f&redir_log=508033901077264 HTTP 302
    https://irs.treasury.gov/freetaxprep/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

8 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Primary Request /
irs.treasury.gov/freetaxprep/
Redirect Chain
  • https://outreach.senate.gov/iqextranet/iqClickTrk.aspx?&cid=SenManchin&crop=19707.238390656.19747730.15590367&report_id=&redirect=https%3a%2f%2firs.treasury.gov%2ffreetaxprep%2f&redir_log=508033901...
  • https://irs.treasury.gov/freetaxprep/
7 KB
4 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://irs.treasury.gov/freetaxprep/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2600:141b:b000:291::22f2 Newark, United States, ASN20940 (AKAMAI-ASN1, NL),
Reverse DNS
Software
/
Resource Hash
bf1cd0e63026be91e27a8c464864f67b3192e82d0b1a3d4854fc330dbb5dfd83
Security Headers
Name Value
Strict-Transport-Security max-age=31536000
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36
accept-language
de-DE,de;q=0.9

Response headers

content-encoding
gzip
content-length
2673
content-type
text/html;charset=ISO-8859-1
date
Tue, 06 Feb 2024 14:04:06 GMT
strict-transport-security
max-age=31536000
vary
Accept-Encoding
x-akamai-transformed
9 2482 0 pmb=mTOE,4
x-content-type-options
nosniff
x-frame-options
SAMEORIGIN
x-xss-protection
1; mode=block

Redirect headers

cache-control
private
content-length
154
content-security-policy
script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://maps.googleapis.com/ https://maps.google.com/ https://www.google.com/ https://www.gstatic.com https://*.youtube.com https://*.google-analytics.com https://www.bing.com/ https://*.virtualearth.net/ https://js.arcgis.com/ https://*.lmhostediq.com/ https://*.lmhostediq.com:5000/ https://*.intranetquorum.com/ https://*.apps.leidos.com:9001 https://scontent.cdninstagram.com/ https://*.us.house.gov https://dap.digitalgov.gov
content-type
text/html; charset=utf-8
date
Tue, 06 Feb 2024 14:04:05 GMT
googlebot
noindex
location
https://irs.treasury.gov/freetaxprep/
robots
noindex
server
Microsoft-IIS/10.0
strict-transport-security
max-age=31536000; includeSubDomains; max-age=31536000
x-aspnet-version
4.0.30319
x-content-type-options
nosniff
x-powered-by
ASP.NET
x-xss-protection
1
vitaCSS.css
irs.treasury.gov/freetaxprep/css/ 		3 KB
799 B 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://irs.treasury.gov/freetaxprep/css/vitaCSS.css
Requested by
Host: irs.treasury.gov
URL: https://irs.treasury.gov/freetaxprep/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2600:141b:b000:291::22f2 Newark, United States, ASN20940 (AKAMAI-ASN1, NL),
Reverse DNS
Software
Apache /
Resource Hash
c5936671f7bb383733233582dda955aa139c3a1c338167ecd312ec4e30292d22
Security Headers
Name Value
Strict-Transport-Security max-age=31536000

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://irs.treasury.gov/freetaxprep/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

date
Tue, 06 Feb 2024 14:04:07 GMT
content-encoding
gzip
strict-transport-security
max-age=31536000
last-modified
Thu, 31 Mar 2022 11:50:56 GMT
server
Apache
etag
W/"2987-1648727456000-gzip"
vary
Accept-Encoding
content-type
text/css
accept-ranges
bytes
content-length
638
jquery.js
ajax.googleapis.com/ajax/libs/jquery/1.4.2/ 		160 KB
161 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js
Requested by
Host: irs.treasury.gov
URL: https://irs.treasury.gov/freetaxprep/
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:828::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),
Reverse DNS
Software
sffe /
Resource Hash
95c023c80dfe0d30304c58244878995061f87801a66daa5d6bf4f2512be0e6f9
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://irs.treasury.gov/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

date
Tue, 30 Jan 2024 19:09:41 GMT
x-content-type-options
nosniff
age
586466
content-security-policy-report-only
require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/hosted-libraries-pushers
cross-origin-resource-policy
cross-origin
alt-svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-length
163855
x-xss-protection
0
last-modified
Tue, 03 Mar 2020 19:15:00 GMT
server
sffe
cross-origin-opener-policy
same-origin; report-to="hosted-libraries-pushers"
vary
Accept-Encoding
report-to
{"group":"hosted-libraries-pushers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers"}]}
content-type
text/javascript; charset=UTF-8
access-control-allow-origin
*
cache-control
public, max-age=31536000, stale-while-revalidate=2592000
accept-ranges
bytes
timing-allow-origin
*
expires
Wed, 29 Jan 2025 19:09:41 GMT
js
maps.googleapis.com/maps/api/ 		175 KB
60 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://maps.googleapis.com/maps/api/js?client=gme-internalrevenueservice&v=3.17&sensor=false
Requested by
Host: irs.treasury.gov
URL: https://irs.treasury.gov/freetaxprep/
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:80b::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),
Reverse DNS
Software
scaffolding on HTTPServer2 /
Resource Hash
00d10246e31af5f25bb882a75a74306ae4e4f4020c011921e2c21c4145beae36
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://irs.treasury.gov/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

date
Tue, 06 Feb 2024 14:04:07 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
scaffolding on HTTPServer2
vary
Accept-Language, Origin, X-Origin, Referer
x-frame-options
SAMEORIGIN
content-type
text/javascript; charset=UTF-8
cache-control
public, max-age=1800
cross-origin-resource-policy
cross-origin
timing-allow-origin
*
alt-svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-length
61219
x-xss-protection
0
4b377eec
irs.treasury.gov/akam/13/ 		26 KB
9 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://irs.treasury.gov/akam/13/4b377eec
Requested by
Host: irs.treasury.gov
URL: https://irs.treasury.gov/freetaxprep/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2600:141b:b000:291::22f2 Newark, United States, ASN20940 (AKAMAI-ASN1, NL),
Reverse DNS
Software
/
Resource Hash
d99c316cf6d80d54eedbeceb2ab66d71718b718ae1d145defeca3eeecc5701cd
Security Headers
Name Value
Strict-Transport-Security max-age=31536000

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://irs.treasury.gov/freetaxprep/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

date
Tue, 06 Feb 2024 14:04:07 GMT
content-encoding
gzip
strict-transport-security
max-age=31536000
last-modified
Wed, 09 Feb 2022 15:08:05 GMT
etag
"409e8cedfaf90cb377b660ddf94aff49b0f6bcbf99f112cddbaa7186180fed99"
vary
Accept-Encoding
content-type
application/javascript
content-length
8798
logo.png
irs.treasury.gov/freetaxprep/ 		3 KB
3 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://irs.treasury.gov/freetaxprep/logo.png
Requested by
Host: irs.treasury.gov
URL: https://irs.treasury.gov/freetaxprep/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2600:141b:b000:291::22f2 Newark, United States, ASN20940 (AKAMAI-ASN1, NL),
Reverse DNS
Software
Apache /
Resource Hash
b831fccf6dfafa26d4eb3d51369ed026b733dbfd7850217b15511e1266d96115
Security Headers
Name Value
Strict-Transport-Security max-age=31536000

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://irs.treasury.gov/freetaxprep/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

date
Tue, 06 Feb 2024 14:04:07 GMT
content-encoding
gzip
strict-transport-security
max-age=31536000
last-modified
Thu, 31 Mar 2022 11:50:58 GMT
server
Apache
etag
W/"2716-1648727458000-gzip"
vary
Accept-Encoding
content-type
image/png
accept-ranges
bytes
content-length
2739
gen_204
maps.googleapis.com/maps/api/mapsjs/ 		3 B
45 B 		XHR
General
Check archive.org
Download Go to
Full URL
https://maps.googleapis.com/maps/api/mapsjs/gen_204?csp_test=true
Requested by
Host: maps.googleapis.com
URL: https://maps.googleapis.com/maps/api/js?client=gme-internalrevenueservice&v=3.17&sensor=false
Protocol
H3
Security
QUIC, , AES_128_GCM
Server
2a00:1450:4001:80b::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),
Reverse DNS
Software
scaffolding on HTTPServer2 /
Resource Hash
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://irs.treasury.gov/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

date
Tue, 06 Feb 2024 14:04:07 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
scaffolding on HTTPServer2
vary
Origin, X-Origin, Referer
x-frame-options
SAMEORIGIN
content-type
application/json; charset=UTF-8
access-control-allow-origin
https://irs.treasury.gov
access-control-expose-headers
vary,vary,vary,content-encoding,date,server,content-length
cache-control
private
alt-svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-length
23
x-xss-protection
0
truncated
/ 		9 KB
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
d554361630709572f4c9e33d02ca5ae56275756099a62195513017a0421f73c2

Request headers

accept-language
de-DE,de;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

Content-Type
image/png
truncated
/ 		157 B
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
80d54533f80e8233621f965ae0a7713928bdb4d491ed0eb5e90434550f1894cb

Request headers

accept-language
de-DE,de;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36

Response headers

Content-Type
image/png
pixel_4b377eec
irs.treasury.gov/akam/13/ 		0
627 B 		XHR
General
Check archive.org
Download Go to
Full URL
https://irs.treasury.gov/akam/13/pixel_4b377eec
Requested by
Host: irs.treasury.gov
URL: https://irs.treasury.gov/akam/13/4b377eec
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2600:141b:b000:291::22f2 Newark, United States, ASN20940 (AKAMAI-ASN1, NL),
Reverse DNS
Software
/
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Security Headers
Name Value
Strict-Transport-Security max-age=31536000

Request headers

Referer
https://irs.treasury.gov/freetaxprep/
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36
Content-Type
application/x-www-form-urlencoded

Response headers

date
Tue, 06 Feb 2024 14:04:08 GMT
strict-transport-security
max-age=31536000
content-length
0
content-type
text/html

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: IRS (Government)

9 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

function| $ function| jQuery object| google object| module$exports$mapsapi$geometry$spherical object| reactiveElementVersions object| module$contents$mapsapi$overlay$overlayView_OverlayView function| searchLocations string| bazadebezolkohpepadr string| urhehlevkedkilrobacf

2 Cookies

Domain/Path Name / Value
outreach.senate.gov/ Name: LMDSI_KSI
Value: xsnllni4japv4mjvqsyrrp5a
.treasury.gov/ Name: ak_bmsc
Value: 88FA5AAC8C0F631E6C93CBAC7C191C28~000000000000000000000000000000~YAAQJ/o7F90HDWGNAQAAVbi7fhYbofEe0f7WTDRGwiNP3ndmAQIHaeOR2R+DZt9Hf4MGmt0+SgDUxo8LpM0OOuKdF+4yQZG/tZlbjosIQBfof2S/Ro9BkVqaHroZ8dP6HMtea5TPpn9jxULrg5nhWQr2GmhFe/ZMWzon48NzDcVsT5yZd/0c/p40DGkUzVha1NJcHteZPXhJL9tGL51J4w/SYK0ouFeuy14Qh+hcSxvfyIaejGoC5BXrNJ6pQTNnIjJXFAI51UQLlQnxETU8Is0rqaGEZOeSPSMxHYYAN0giU1ZzChAjskHttsre/Rodb+/8h9gaRPYHlC8HngeLUSIudtvtUyo1gAkpTp7VHvJFmJ0hJhl5ILRMn1TCbDvos5CzRHJX7dcE5z9IQ4C+qkNUUOpfli0I+K0NI+YnZbEZD4mE1Qee5y37T1SSndTTqP4yZbweTFHC5furNdtxtfz/gHJr3hfOtY4+ExwJNtXG4KQ8kvWOBnEPSQUrUn90/qOHhGwlafy1

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header Value
Strict-Transport-Security max-age=31536000
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block