sxb1plvwcpnl474184.prod.sxb1.secureserver.net
Open in
urlscan Pro
92.205.2.211
Malicious Activity!
Public Scan
Effective URL: http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO27oiPUUh/8502691.php?...
Submission: On June 18 via manual from DE
Summary
This is the only time sxb1plvwcpnl474184.prod.sxb1.secureserver.net was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: N26 (Banking)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
5 9 | 92.205.2.211 92.205.2.211 | 21499 (GODADDY-SXB) (GODADDY-SXB) | |
3 | 2606:4700::68... 2606:4700::6810:135e | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 | 2606:4700::68... 2606:4700::6812:bcf | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
8 | 3 |
ASN21499 (GODADDY-SXB, DE)
PTR: ip-92-205-2-211.ip.secureserver.net
sxb1plvwcpnl474184.prod.sxb1.secureserver.net |
Apex Domain Subdomains |
Transfer | |
---|---|---|
9 |
secureserver.net
5 redirects
sxb1plvwcpnl474184.prod.sxb1.secureserver.net |
61 KB |
3 |
cloudflare.com
cdnjs.cloudflare.com |
110 KB |
1 |
bootstrapcdn.com
maxcdn.bootstrapcdn.com |
13 KB |
8 | 3 |
Domain | Requested by | |
---|---|---|
9 | sxb1plvwcpnl474184.prod.sxb1.secureserver.net |
5 redirects
sxb1plvwcpnl474184.prod.sxb1.secureserver.net
|
3 | cdnjs.cloudflare.com |
sxb1plvwcpnl474184.prod.sxb1.secureserver.net
cdnjs.cloudflare.com |
1 | maxcdn.bootstrapcdn.com |
sxb1plvwcpnl474184.prod.sxb1.secureserver.net
|
8 | 3 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
sni.cloudflaressl.com Cloudflare Inc ECC CA-3 |
2020-10-21 - 2021-10-20 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO27oiPUUh/8502691.php?login_ga=https.n27.elogin
Frame ID: 31B68CE3DF85E4136746951838AB5778
Requests: 8 HTTP requests in this frame
Screenshot
Page URL History Show full URLs
-
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app
HTTP 301
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/ HTTP 302
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/index.php?login_ga=NvoO2l5m7M5VRX42B8dSCjNc52EmvrSM175mvBujSDFg... HTTP 302
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO2... HTTP 301
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO2... HTTP 302
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO2... Page URL
Detected technologies
Apache (Web Servers) ExpandDetected patterns
- headers server /(?:Apache(?:$|\/([\d.]+)|[^/-])|(?:^|\b)HTTPD)/i
Font Awesome (Font Scripts) Expand
Detected patterns
- html /<link[^>]* href=[^>]+(?:([\d.]+)\/)?(?:css\/)?font-awesome(?:\.min)?\.css/i
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app
HTTP 301
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/ HTTP 302
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/index.php?login_ga=NvoO2l5m7M5VRX42B8dSCjNc52EmvrSM175mvBujSDFgjznRDqc1KHSbKcR7958ceThiKiyuALWtNHlZqGfojnu4wF0zz64UvzMbfYun86j6Emin7Ty HTTP 302
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO27oiPUUh HTTP 301
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO27oiPUUh/ HTTP 302
http://sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO27oiPUUh/8502691.php?login_ga=https.n27.elogin Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
Request Chain 3- http://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js HTTP 307
- https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
- http://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js HTTP 307
- https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
8 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
Primary Request
8502691.php
sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/kL5ciuWinIXYVj7RO9wC9x1BA4zW30qd7PFgx98ETdx1O2uQylVRDGuOgcyTlO27oiPUUh/ Redirect Chain
|
48 KB 10 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
GT-America-Standard-Regular.latin.woff2
sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/build/fonts/ |
13 KB 14 KB |
Font
font/woff2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
GT-America-Extended-Medium.latin.woff2
sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/build/fonts/ |
21 KB 21 KB |
Font
font/woff2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
font-awesome.min.css
cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/ |
30 KB 6 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
bootstrap.min.js
maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/ Redirect Chain
|
48 KB 13 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery.min.js
cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/ Redirect Chain
|
85 KB 27 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
GT-America-Standard-Medium.latin.woff2
sxb1plvwcpnl474184.prod.sxb1.secureserver.net/~serv2/app/n/build/fonts/ |
14 KB 14 KB |
Font
font/woff2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3-29 |
fontawesome-webfont.woff2
cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/fonts/ |
75 KB 76 KB |
Font
application/octet-stream |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: N26 (Banking)12 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onbeforexrselect object| ontransitionrun object| ontransitionstart object| ontransitioncancel boolean| originAgentCluster object| trustedTypes boolean| crossOriginIsolated object| bootstrap function| $ function| jQuery function| checkStatus function| checkUserLoggedIN0 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
cdnjs.cloudflare.com
maxcdn.bootstrapcdn.com
sxb1plvwcpnl474184.prod.sxb1.secureserver.net
2606:4700::6810:135e
2606:4700::6812:bcf
92.205.2.211
57b016225d321a77e0a129515f4436a9bcd53cd6ba8dcd32a96b95ec55d7a785
799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd
808389c43c0608cce7da4505e477666c0868f18a7dc22e0b92490c1aa8426a52
87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de
d792afdac7f7ae5de7c6964950c6c61dc6e3f3813180a59e141c7cb4ac4364dc
e1c2d323b6b5d86a647a34092f9c18b935f807b46f924578865a738f7b518f10
e7ed36ceee5450b4243bbc35188afabdfb4280c7c57597001de0ed167299b01b
fdc5236b3efa02f88b747ff3d49c0a38a738f77d9d26bfa3046d2b284a0f305d