![](/screenshots/72e72a30-6329-43d7-9898-3ffb4a42635b.png)
recover-icloud.com
Open in
urlscan Pro
2606:4700:3030::ac43:a565
Malicious Activity!
Public Scan
Effective URL: https://recover-icloud.com/username.php
Submission: On January 29 via api from US — Scanned from US
Summary
TLS certificate: Issued by E1 on January 27th 2024. Valid for: 3 months.
This is the only time recover-icloud.com was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Apple (Online) Generic Cloudflare (Online)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
2 6 | 2606:4700:303... 2606:4700:3030::ac43:a565 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
4 | 2 |
Apex Domain Subdomains |
Transfer | |
---|---|---|
6 |
recover-icloud.com
2 redirects
recover-icloud.com |
85 KB |
4 | 1 |
Domain | Requested by | |
---|---|---|
6 | recover-icloud.com |
2 redirects
recover-icloud.com
|
4 | 1 |
This site contains links to these domains. Also see Links.
Domain |
---|
www.icloud.com |
www.apple.com |
Subject Issuer | Validity | Valid | |
---|---|---|---|
recover-icloud.com E1 |
2024-01-27 - 2024-04-26 |
3 months | crt.sh |
This page contains 2 frames:
Primary Page:
https://recover-icloud.com/username.php
Frame ID: 98B68EFBB78BC38FD14DE8B4C155228A
Requests: 9 HTTP requests in this frame
Frame:
data://truncated
Frame ID: 6A4DF41968582EF8E29118FE8E0DEB6F
Requests: 1 HTTP requests in this frame
Screenshot
![](/screenshots/72e72a30-6329-43d7-9898-3ffb4a42635b.png)
Page Title
iCloudPage URL History Show full URLs
- https://recover-icloud.com/ Page URL
-
https://recover-icloud.com/cdn-cgi/phish-bypass?atok=xlS1Bp3NgYRSii.AXWh.XEgtfolLkOy9qnaKksmdAoo-170649...
HTTP 301
https://recover-icloud.com/ HTTP 302
https://recover-icloud.com/username.php Page URL
Detected technologies
Detected patterns
- \.php(?:$|\?)
Page Statistics
5 Outgoing links
These are links going to different origins than the main page.
Search URL Search Domain Scan URL
Title: Create Apple ID
Search URL Search Domain Scan URL
Title: System Status
Search URL Search Domain Scan URL
Title: Privacy Policy
Search URL Search Domain Scan URL
Title: Terms & Conditions
Search URL Search Domain Scan URL
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
- https://recover-icloud.com/ Page URL
-
https://recover-icloud.com/cdn-cgi/phish-bypass?atok=xlS1Bp3NgYRSii.AXWh.XEgtfolLkOy9qnaKksmdAoo-1706492196-0-%2F
HTTP 301
https://recover-icloud.com/ HTTP 302
https://recover-icloud.com/username.php Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
4 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
/
recover-icloud.com/ |
4 KB 2 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
cf.errors.css
recover-icloud.com/cdn-cgi/styles/ |
24 KB 5 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
icon-exclamation.png
recover-icloud.com/cdn-cgi/images/ |
452 B 540 B |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
Primary Request
username.php
recover-icloud.com/ Redirect Chain
|
282 KB 77 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
8 KB 0 |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ Frame 6A4D |
9 KB 9 KB |
Font
application/x-font-woff |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
884 B 0 |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
8 KB 0 |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
9 KB 0 |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
661 B 0 |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Apple (Online) Generic Cloudflare (Online)2 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| 0 object| 11 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
.recover-icloud.com/ | Name: __cf_mw_byp Value: xlS1Bp3NgYRSii.AXWh.XEgtfolLkOy9qnaKksmdAoo-1706492196-0-/ |
Security Headers
This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page
Header | Value |
---|---|
X-Frame-Options | SAMEORIGIN |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
recover-icloud.com
2606:4700:3030::ac43:a565
1103290e25ebda2712abe344a87facbac00ddaba712729be9fe5feef807bf91b
147d15ed329374ff3394977ab23641694f17a3567ec0c0c7838ca6ee59a26176
276618038f0474681826eed2cd12fae281387deaba057cee6dea869ecb8d292f
446c4fde5ecf439bfed24e9704de915bdc7b0d06b4e8a6c5c7eb6493e06f4a37
6de3580fdeace0ff74927b2449e34587dd0b2a03c7711cf0087925e25429efe3
8815436f1605c853987b40bb1fd16cc13999f7e7bd0f830f78c030fcfd9da430
bbc4b480c3830b7df13e065290aafaadd537f36cabc29ec58e2596b4a5af310d
c7037d9b702f2a33c79588eb11c56b0333d283802a5786372c18d58184854017
d7ab9f620f70fdfe006b0adadc3617b26da459fab960fb2c858dc769b9c92bb5
f1591a5221136c49438642155691ae6c68e25b7241f3d7ebe975b09a77662016