securerobinh0oodverify.com Open in urlscan Pro
2001:df1:7800:2::e064 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

URL:
http://securerobinh0oodverify.com/login/?sessions=97a42595fbf5c568fb80eace5fbb1495&id_session=ea7b0c3afaa86df49e517507a6e42df3c6bc...
Submission: On March 03 via automatic, source openphish (March 3rd 2023, 1:10:20 am UTC) — Scanned from DE

Summary HTTP 3 Redirects Behaviour Indicators

Summary

This website contacted 3 IPs in 2 countries across 2 domains to perform 3 HTTP transactions. The main IP is 2001:df1:7800:2::e064, located in Indonesia and belongs to CRI-AS-AP CV. Rumahweb Indonesia, ID. The main domain is securerobinh0oodverify.com.

This is the only time securerobinh0oodverify.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Robinhood (Financial)

Domain & IP information

	IP Address	AS Autonomous System
2	2001:df1:7800... 2001:df1:7800:2::e064	58487 (CRI-AS-AP...) (CRI-AS-AP CV. Rumahweb Indonesia)
1	143.204.55.113 143.204.55.113	16509 (AMAZON-02) (AMAZON-02)
3	3

2 2001:df1:7800:2::e064 (Indonesia)

ASN58487 (CRI-AS-AP CV. Rumahweb Indonesia, ID)

securerobinh0oodverify.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 143.204.55.113 (United States)

ASN16509 (AMAZON-02, US)
PTR: server-143-204-55-113.osl50.r.cloudfront.net

cdn.robinhood.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
2	securerobinh0oodverify.com securerobinh0oodverify.com	3 MB
1	robinhood.com cdn.robinhood.com — Cisco Umbrella Rank: 17977	379 KB
3	2

	Domain	Requested by
2	securerobinh0oodverify.com	securerobinh0oodverify.com
1	cdn.robinhood.com	securerobinh0oodverify.com
3	2

This site contains no links.

Subject Issuer	Validity	Valid
*.robinhood.com DigiCert TLS RSA SHA256 2020 CA1	`2022-03-29` - `2023-04-25`	a year	crt.sh

This page contains 1 frames:

Primary Page: http://securerobinh0oodverify.com/login/?sessions=97a42595fbf5c568fb80eace5fbb1495&id_session=ea7b0c3afaa86df49e517507a6e42df3c6bc30c4
Frame ID: 060ED9188F9FABF78730F704B331FB8A
Requests: 8 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Log In | Robinhood

Page Statistics

3
Requests

33 %
HTTPS

50 %
IPv6

2
Domains

2
Subdomains

3
IPs

2
Countries

3351 kB
Transfer

3350 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

3 HTTP transactions
5 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	Primary Request / Show response securerobinh0oodverify.com/login/	3 KB 4 KB	1068ms 717ms	Document text/html	2001:df1:7800:2::e064 CRI-AS-AP CV. Rum...
General Check archive.org Show headers Download Go to Full URL http://securerobinh0oodverify.com/login/?sessions=97a42595fbf5c568fb80eace5fbb1495&id_session=ea7b0c3afaa86df49e517507a6e42df3c6bc30c4 Protocol HTTP/1.1 Server 2001:df1:7800:2::e064 , Indonesia, ASN58487 (CRI-AS-AP CV. Rumahweb Indonesia, ID), Reverse DNS Software Apache / Resource Hash `4d48f3e554379b6d395df85361f5dc612be123f135706def265808c0ab02d4b0` Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 accept-language de-DE,de;q=0.9 Response headers Connection Upgrade, Keep-Alive Content-Type text/html; charset=UTF-8 Date Fri, 03 Mar 2023 01:10:13 GMT Keep-Alive timeout=5, max=100 Server Apache Transfer-Encoding chunked Upgrade h2,h2c Vary Accept-Encoding
GET H/1.1	200 OK	main.css securerobinh0oodverify.com/css/	3 MB 3 MB	203ms 203ms	Stylesheet text/css	2001:df1:7800:2::e064 CRI-AS-AP CV. Rum...
General Check archive.org Show headers Download Go to Full URL http://securerobinh0oodverify.com/css/main.css Requested by Host: securerobinh0oodverify.com URL: http://securerobinh0oodverify.com/login/?sessions=97a42595fbf5c568fb80eace5fbb1495&id_session=ea7b0c3afaa86df49e517507a6e42df3c6bc30c4 Protocol HTTP/1.1 Server 2001:df1:7800:2::e064 , Indonesia, ASN58487 (CRI-AS-AP CV. Rumahweb Indonesia, ID), Reverse DNS Software Apache / Resource Hash `226fad4850092e9f9788bd067517dfc24f348daaf3c9f8c160a08bedfcfe98f6` Request headers accept-language de-DE,de;q=0.9 Referer http://securerobinh0oodverify.com/login/?sessions=97a42595fbf5c568fb80eace5fbb1495&id_session=ea7b0c3afaa86df49e517507a6e42df3c6bc30c4 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 Response headers Date Fri, 03 Mar 2023 01:10:14 GMT Last-Modified Fri, 20 Jan 2023 12:29:27 GMT Server Apache Vary Accept-Encoding Content-Type text/css Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=99 Content-Length 2949661
GET H2	200	632fcb3e7ed928b2a960f3e003d10b44.jpg cdn.robinhood.com/assets/generated_assets/	378 KB 379 KB	256ms 45ms	Image image/jpeg	143.204.55.113 AMAZON-02
General Check archive.org Show headers Download Go to Show image Full URL https://cdn.robinhood.com/assets/generated_assets/632fcb3e7ed928b2a960f3e003d10b44.jpg Requested by Host: securerobinh0oodverify.com URL: http://securerobinh0oodverify.com/login/?sessions=97a42595fbf5c568fb80eace5fbb1495&id_session=ea7b0c3afaa86df49e517507a6e42df3c6bc30c4 Protocol H2 Security TLS 1.3, , AES_128_GCM Server 143.204.55.113 , United States, ASN16509 (AMAZON-02, US), Reverse DNS server-143-204-55-113.osl50.r.cloudfront.net Software AmazonS3 / Resource Hash `01373b02ad74b5c99cc5abd66cc1acf1cc4fffc85a51a16212e6f40d0de3f126` Request headers accept-language de-DE,de;q=0.9 Referer http://securerobinh0oodverify.com/ User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 Response headers date Tue, 28 Feb 2023 06:50:35 GMT x-amz-version-id null via 1.1 80d21802b1b80c40e55ccf83433b8eac.cloudfront.net (CloudFront) last-modified Thu, 02 Dec 2021 23:20:58 GMT server AmazonS3 x-amz-cf-pop OSL50-C1 age 238780 etag "cdfcb3cb965d71cf114d0aeb8f0a50cd" x-amz-server-side-encryption AES256 x-cache Hit from cloudfront content-type image/jpeg cache-control public,max-age=604800,immutable accept-ranges bytes content-length 387068 x-amz-cf-id 8gbPsSH5RQKjMXAphUjPvek3JmfiCg37wGaUucu7DrT58tOu-5HE6g==
GET DATA	200 OK	truncated /	19 KB 19 KB		Font binary/octet-stream
General Check archive.org Show headers Download Go to Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `d6e0f9a85b076741a771ec8574c1278fb65fe34160e73bd8beffa2f927831302` Request headers Referer http://securerobinh0oodverify.com/ Origin http://securerobinh0oodverify.com accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 Response headers Content-Type binary/octet-stream
GET DATA	200 OK	truncated /	19 KB 19 KB		Font binary/octet-stream
General Check archive.org Show headers Download Go to Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `6573ba5ca76b29d5ffe83d94b27a4a8a09c8d5c8d5f2ca0719aaeef6856042d8` Request headers Referer http://securerobinh0oodverify.com/ Origin http://securerobinh0oodverify.com accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 Response headers Content-Type binary/octet-stream
GET DATA	200 OK	truncated /	17 KB 17 KB		Font binary/octet-stream
General Check archive.org Show headers Download Go to Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `9f008fbf30ea35ee63d658fb297dd10e4d76b731dbbfb11b5bc16f3f0399e5a8` Request headers Referer http://securerobinh0oodverify.com/ Origin http://securerobinh0oodverify.com accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 Response headers Content-Type binary/octet-stream
GET DATA	200 OK	truncated /	17 KB 17 KB		Font binary/octet-stream
General Check archive.org Show headers Download Go to Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `c64f5747ba22330e43c7e75d3bbabaf9b11a56c46d7f98c868482d64f09e5cd6` Request headers Referer http://securerobinh0oodverify.com/ Origin http://securerobinh0oodverify.com accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 Response headers Content-Type binary/octet-stream
GET DATA	200 OK	truncated /	17 KB 17 KB		Font binary/octet-stream
General Check archive.org Show headers Download Go to Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `0f4a23c77efcc39a00f821331bdf4790e3fd934a4b72c6b9e91f5c87787e4651` Request headers Referer http://securerobinh0oodverify.com/ Origin http://securerobinh0oodverify.com accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36 Response headers Content-Type binary/octet-stream

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Robinhood (Financial)

1 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

boolean| credentialless

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

cdn.robinhood.com
securerobinh0oodverify.com
143.204.55.113
2001:df1:7800:2::e064
01373b02ad74b5c99cc5abd66cc1acf1cc4fffc85a51a16212e6f40d0de3f126
0f4a23c77efcc39a00f821331bdf4790e3fd934a4b72c6b9e91f5c87787e4651
226fad4850092e9f9788bd067517dfc24f348daaf3c9f8c160a08bedfcfe98f6
4d48f3e554379b6d395df85361f5dc612be123f135706def265808c0ab02d4b0
6573ba5ca76b29d5ffe83d94b27a4a8a09c8d5c8d5f2ca0719aaeef6856042d8
9f008fbf30ea35ee63d658fb297dd10e4d76b731dbbfb11b5bc16f3f0399e5a8
c64f5747ba22330e43c7e75d3bbabaf9b11a56c46d7f98c868482d64f09e5cd6
d6e0f9a85b076741a771ec8574c1278fb65fe34160e73bd8beffa2f927831302

securerobinh0oodverify.com Open in urlscan Pro 2001:df1:7800:2::e064 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page Statistics

3 Requests

33 %HTTPS

50 %IPv6

2 Domains

2 Subdomains

3 IPs

2 Countries

3351 kBTransfer

3350 kBSize

0 Cookies

0 Outgoing links

Redirected requests

3 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 5 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

1 JavaScript Global Variables

0 Cookies

Indicators

securerobinh0oodverify.com Open in urlscan Pro
2001:df1:7800:2::e064 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

3
Requests

33 %
HTTPS

50 %
IPv6

2
Domains

2
Subdomains

3
IPs

2
Countries

3351 kB
Transfer

3350 kB
Size

0
Cookies

3 HTTP transactions
5 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!