citisecure.co
Open in
urlscan Pro
2a06:98c1:3120::3
Malicious Activity!
Public Scan
Effective URL: https://citisecure.co/SHNHTJMF519CRVYIBD8E3EQHEI/login
Submission: On July 14 via api from GB — Scanned from NL
Summary
TLS certificate: Issued by E1 on July 11th 2022. Valid for: 3 months.
This is the only time citisecure.co was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Citibank (Banking)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 19 | 2a06:98c1:312... 2a06:98c1:3120::3 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 | 2001:4de0:ac1... 2001:4de0:ac18::1:a:3b | 20446 (STACKPATH...) (STACKPATH-CDN) | |
1 | 76.76.21.93 76.76.21.93 | 16509 (AMAZON-02) (AMAZON-02) | |
1 | 104.92.75.138 104.92.75.138 | 16625 (AKAMAI-AS) (AKAMAI-AS) | |
21 | 4 |
ASN16625 (AKAMAI-AS, US)
PTR: a104-92-75-138.deploy.static.akamaitechnologies.com
online.citi.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
19 |
citisecure.co
1 redirects
citisecure.co |
420 KB |
1 |
citi.com
online.citi.com — Cisco Umbrella Rank: 19995 |
106 KB |
1 |
vercel.app
geoip-lite.vercel.app |
520 B |
1 |
jquery.com
code.jquery.com — Cisco Umbrella Rank: 695 |
30 KB |
21 | 4 |
Domain | Requested by | |
---|---|---|
19 | citisecure.co |
1 redirects
code.jquery.com
citisecure.co |
1 | online.citi.com |
citisecure.co
|
1 | geoip-lite.vercel.app |
code.jquery.com
|
1 | code.jquery.com |
citisecure.co
|
21 | 4 |
This site contains links to these domains. Also see Links.
Domain |
---|
online.citi.com |
Subject Issuer | Validity | Valid | |
---|---|---|---|
*.citisecure.co E1 |
2022-07-11 - 2022-10-09 |
3 months | crt.sh |
*.jquery.com Sectigo RSA Domain Validation Secure Server CA |
2021-07-14 - 2022-08-14 |
a year | crt.sh |
*.vercel.app R3 |
2022-07-12 - 2022-10-10 |
3 months | crt.sh |
online.citibank.com DigiCert SHA2 Extended Validation Server CA |
2022-05-03 - 2023-05-16 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://citisecure.co/SHNHTJMF519CRVYIBD8E3EQHEI/login
Frame ID: 097D98D7C68D43BDF492F9A49F0304C5
Requests: 21 HTTP requests in this frame
Screenshot
Page Title
Sign OnPage URL History Show full URLs
-
http://citisecure.co/
HTTP 301
https://citisecure.co/ Page URL
- https://citisecure.co/SHNHTJMF519CRVYIBD8E3EQHEI/login Page URL
Detected technologies
jQuery (JavaScript Libraries) ExpandDetected patterns
- jquery[.-]([\d.]*\d)[^/]*\.js
- jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?
Page Statistics
1 Outgoing links
These are links going to different origins than the main page.
Title: here
Search URL Search Domain Scan URL
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
http://citisecure.co/
HTTP 301
https://citisecure.co/ Page URL
- https://citisecure.co/SHNHTJMF519CRVYIBD8E3EQHEI/login Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
Request Chain 0- http://citisecure.co/ HTTP 301
- https://citisecure.co/
21 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
/
citisecure.co/ Redirect Chain
|
777 B 1 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery-3.6.0.min.js
code.jquery.com/ |
87 KB 30 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
/
geoip-lite.vercel.app/ |
173 B 520 B |
XHR
application/json |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
SHNHTJMF519CRVYIBD8E3EQHEI.html
citisecure.co/ |
80 B 528 B |
XHR
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Primary Request
login
citisecure.co/SHNHTJMF519CRVYIBD8E3EQHEI/ |
338 KB 47 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
styles.3eadecd0fb91b7b52ecc.css
citisecure.co/cbol-pre-login-static-assets/ |
2 MB 176 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
citilogoredesign.png
citisecure.co/CBOL/IA/Angular/assets/ |
2 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
050-location2x.svg
citisecure.co/CBOL/IA/Angular/assets/ |
2 KB 1 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
icon_globe_med-grey2x.svg
citisecure.co/CBOL/IA/Angular/assets/ |
3 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
IE_warning.png
citisecure.co/CBOL/IA/Angular/assets/ |
9 KB 10 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
EqualHousing.png
citisecure.co/CBOL/IA/Angular/assets/ |
2 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
jquery.min.js
citisecure.co/ |
85 KB 31 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
LSO_4959.jpg
online.citi.com/nga-lite-signon/ |
106 KB 106 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Light.woff
citisecure.co/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Bold.woff
citisecure.co/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
client
citisecure.co/ |
17 B 578 B |
XHR
application/json |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Bold.ttf
citisecure.co/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Light.ttf
citisecure.co/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Light.woff
citisecure.co/cbol-pre-login-static-assets/cds-assets/fonts/interstate/ |
74 KB 74 KB |
Font
font/woff |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Bold.woff
citisecure.co/cbol-pre-login-static-assets/cds-assets/fonts/interstate/ |
70 KB 71 KB |
Font
font/woff |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
client
citisecure.co/ |
17 B 579 B |
XHR
application/json |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Citibank (Banking)10 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| oncontextlost object| oncontextrestored function| structuredClone object| launchQueue object| onbeforematch function| getScreenDetails function| queryLocalFonts object| navigation function| $ function| jQuery3 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
citisecure.co/ | Name: csrf-token Value: IEHQE3E8DBIYVRC915FMJTHNHS |
|
citisecure.co/ | Name: visitor Value: 62d00436e61753d433981809 |
|
citisecure.co/ | Name: chave Value: VI208NAH4DMWT |
4 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
Source | Level | URL Text |
---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
citisecure.co
code.jquery.com
geoip-lite.vercel.app
online.citi.com
104.92.75.138
2001:4de0:ac18::1:a:3b
2a06:98c1:3120::3
76.76.21.93
06e5f7e2d702e0110271dd33c198e1f312a785bcf41ca4fbed2fa6d67722dc03
0797751b389cf4865fc0dc20b234f78fe7c783cea52141c835e3a8f1803aa3a7
0b11b7364bd342a28f3cba9f13af179508a714850d810198be7c6b7d660d5a00
102503acef6077fcf8e42a856fb4904fcd74224a32d5d8efcd13236ac6309fed
1bbf3ec4625ce1e3def1d9cc45b32a9dfbfb40ce0a1c5a6f72f445e2415de502
1db826af0c89670ad98c8d15c75ba7e3190fb0048d95160065d629683550ae91
4fe68fa216176e6d1f4580e924bafecc9f519984ecc06b1a840a08b0d88c95de
56a8588a55f9dfb0f9a2b30f06551d02e1ee21bff94b7166e881aab313b226cb
6336ae7b60dff18e0a37721a3a19fd5e18568577a64faa662969d35966dbf72b
a593628f2d5ba814f37fbcd3963162f094c2764d4b15d82464c2d1aef92f150f
dbdebfcc2ed9932006edcfc7f8190ca5c9a04ff737e990645712ccc33e5ce070
e9e9a67395a0d83b584208a19b95af203df8e8e6c6952fe76c690d60ea9381c7
f23485e8b9c368f28f18a0bb110573df79c00ac3a2ca71d68017db100207639d
f327a0ba3e41b1e8154e1c18fc114baff0bd057151e3afe7fa6f33cc0cb18296
ff1523fb7389539c84c65aba19260648793bb4f5e29329d2ee8804bc37a3fe6e