104.196.200.37
Open in
urlscan Pro
104.196.200.37
Malicious Activity!
Public Scan
Submission Tags: phishing malicious Search All
Submission: On November 17 via api from US
Summary
TLS certificate: Issued by COMODO RSA Domain Validation Secure S... on December 4th 2018. Valid for: 2 years.
This is the only time 104.196.200.37 was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: PayPal (Financial)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
2 | 104.196.200.37 104.196.200.37 | 15169 (GOOGLE) (GOOGLE - Google LLC) | |
13 | 2.21.38.79 2.21.38.79 | 20940 (AKAMAI-ASN1) (AKAMAI-ASN1) | |
1 2 | 64.4.245.84 64.4.245.84 | 17012 (PAYPAL) (PAYPAL - PayPal) | |
16 | 3 |
ASN15169 (GOOGLE - Google LLC, US)
PTR: 37.200.196.104.bc.googleusercontent.com
104.196.200.37 |
ASN20940 (AKAMAI-ASN1, US)
PTR: a2-21-38-79.deploy.static.akamaitechnologies.com
www.paypalobjects.com | |
c.paypal.com | |
t.paypal.com |
ASN17012 (PAYPAL - PayPal, Inc., US)
b.stats.paypal.com | |
dub.stats.paypal.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
9 |
paypalobjects.com
www.paypalobjects.com |
895 KB |
6 |
paypal.com
1 redirects
c.paypal.com b.stats.paypal.com dub.stats.paypal.com t.paypal.com |
19 KB |
16 | 2 |
Domain | Requested by | |
---|---|---|
9 | www.paypalobjects.com |
104.196.200.37
|
2 | t.paypal.com |
104.196.200.37
|
2 | c.paypal.com |
104.196.200.37
c.paypal.com |
1 | dub.stats.paypal.com |
104.196.200.37
|
1 | b.stats.paypal.com | 1 redirects |
16 | 5 |
This site contains links to these domains. Also see Links.
Domain |
---|
www.paypal.com |
Subject Issuer | Validity | Valid | |
---|---|---|---|
*.locustworld.com COMODO RSA Domain Validation Secure Server CA |
2018-12-04 - 2021-03-03 |
2 years | crt.sh |
www.paypal.com DigiCert SHA2 Extended Validation Server CA |
2019-09-10 - 2020-08-18 |
a year | crt.sh |
b.stats.paypal.com DigiCert SHA2 High Assurance Server CA |
2018-02-16 - 2020-04-29 |
2 years | crt.sh |
This page contains 3 frames:
Primary Page:
https://104.196.200.37/authflow/password-recovery/?country.x=hf
Frame ID: BDD3111F6AC3A319CD8B2CAFB9D7E95A
Requests: 14 HTTP requests in this frame
Frame:
https://c.paypal.com/v1/r/d/i?js_src=https://c.paypal.com/da/r/fb.js
Frame ID: 5E846977E9B8D97ACA093A26B1CDD3DA
Requests: 1 HTTP requests in this frame
Frame:
https://dub.stats.paypal.com/counter2.cgi
Frame ID: 3610536F1D6F52DD7FA62BC4082BA4AA
Requests: 1 HTTP requests in this frame
1 Outgoing links
These are links going to different origins than the main page.
Title: Return to PayPal login
Search URL Search Domain Scan URL
Redirected requests
There were HTTP redirect chains for the following requests:
Request Chain 12- https://b.stats.paypal.com/v2/counter.cgi?p=a9db678ac5ad4671bf2bea6112c0023c&s=ANW HTTP 302
- https://dub.stats.paypal.com/counter2.cgi
16 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
Primary Request
Cookie set
/
104.196.200.37/authflow/password-recovery/ |
31 KB 12 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
app.css
www.paypalobjects.com/web/res/cb4/58130bd565c9e56559d7b6aedcbd5/css/ |
130 KB 19 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
app.js
www.paypalobjects.com/web/res/cb4/58130bd565c9e56559d7b6aedcbd5/js/ |
3 MB 712 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
pa.js
www.paypalobjects.com/pa/js/ |
43 KB 16 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
bs.js
www.paypalobjects.com/tagmgmt/ |
19 B 295 B |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
fb.js
c.paypal.com/da/r/ |
51 KB 17 KB |
Script
application/x-javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
recaptchav3.js
104.196.200.37/auth/createchallenge/bd3921297028b730/ |
10 KB 13 KB |
Script
text/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
monogram@2x.png
www.paypalobjects.com/images/shared/ |
2 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
PayPalSansSmall-Regular.woff
www.paypalobjects.com/webstatic/mktg/2014design/font/PP-Sans/ |
46 KB 47 KB |
Font
application/x-font-woff |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
animation-oval.png
www.paypalobjects.com/images/shared/ |
5 KB 5 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
PayPalSansBig-Light.woff
www.paypalobjects.com/webstatic/mktg/2014design/font/PP-Sans/ |
48 KB 48 KB |
Font
application/x-font-woff |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
PayPalSansSmall-Light.woff
www.paypalobjects.com/webstatic/mktg/2014design/font/PP-Sans/ |
46 KB 46 KB |
Font
application/x-font-woff |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
i
c.paypal.com/v1/r/d/ Frame 5E84 |
0 0 |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
counter2.cgi
dub.stats.paypal.com/ Frame 3610 Redirect Chain
|
42 B 494 B |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ts
t.paypal.com/ |
42 B 564 B |
Image
image/gif |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ts
t.paypal.com/ |
42 B 564 B |
Image
image/gif |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: PayPal (Financial)21 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onformdata object| onpointerrawupdate object| core object| __core-js_shared__ object| global object| System function| asap function| Observable function| setImmediate function| clearImmediate object| regeneratorRuntime boolean| _babelPolyfill object| IntlPolyfill object| PDFJS object| PAYPAL object| fpti string| fptiserverurl object| dataLayer object| _ifpti object| _0xf5c4 function| _0x170e6 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
.paypal.com/ | Name: ts_c Value: vr%3D78b36f4216e0a123ef3313edffffffff%26vt%3D78b36f4216e0a123ef3313edfffffffe |
|
.paypal.com/ | Name: ts Value: vreXpYrS%3D1668677455%26vteXpYrS%3D1573984855%26vr%3D78b36f4216e0a123ef3313edffffffff%26vt%3D78b36f4216e0a123ef3313edfffffffe |
|
.c.paypal.com/ | Name: sc_f Value: HVtVtXjG9_TR-YblxaL12LtBs5FXtJuLzLkHwOqtOuQ1Q_ifUGLqWCwNmTlhlTA5BW4uwUxKyg6yFpmfVc-tDQTcRZMBDHtMGOwkyW |
|
.paypal.com/ | Name: KHcl0EuY7AKSMgfvHl7J5E7hPtK Value: Nv1epJTipkKh1trlMKA447WdLTw_xR0SbXfKkjcGmD7KymfFjyT4SGBBmm4_3tMbLpvjByIKlRD9_ctW |
|
104.196.200.37/ | Name: AKDC Value: slc-b-origin-www-1.paypal.com |
|
104.196.200.37/ | Name: nsid Value: s%3AZf4je6gVmfqTG2Wc_4pqMfnQt2HGRfvy.HlgZKkEfKW%2F6r4gkbTZeAti3MC9Z7YyROK%2BzUVqFSvo |
Security Headers
This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page
Header | Value |
---|---|
Content-Security-Policy | default-src 'self' https://*.paypal.com https://*.paypalobjects.com; script-src 'nonce-+Ik8DuGM01AYzFC3jiVxNaEpjr4CNKGmsTT7jYJsPXz7AUDj' 'self' 'unsafe-inline' 'unsafe-eval' https://*.paypal.com https://*.paypalobjects.com; img-src 'self' data: https:; object-src 'none'; media-src data: blob: 'self' https://*.paypal.com https://*.paypalobjects.com; font-src 'self' https://*.paypal.com https://*.paypalobjects.com; style-src 'self' 'unsafe-inline' https://*.paypal.com https://*.paypalobjects.com; frame-src 'self' https://*.paypal.com https://*.paypalobjects.com; child-src 'self' https://*.paypal.com https://*.paypalobjects.com; connect-src 'self' https://*.paypal.com https://*.paypalobjects.com https://nexus.ensighten.com https://*.google-analytics.com; form-action 'self' https://*.paypal.com; base-uri 'self' https://*.paypal.com; block-all-mixed-content; report-uri https://www.paypal.com/csplog/api/log/csp |
Strict-Transport-Security | max-age=63072000 |
X-Content-Type-Options | nosniff |
X-Frame-Options | SAMEORIGIN |
X-Xss-Protection | 1; mode=block |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
b.stats.paypal.com
c.paypal.com
dub.stats.paypal.com
t.paypal.com
www.paypalobjects.com
104.196.200.37
2.21.38.79
64.4.245.84
26da596ff4259db1eac785035606dade88081ffa9dafd062cb2724de6033f4b3
2a2cacf1f67863eedabdf29f70e2ad64391a1a1cb005f722fea3fe5e3c47230d
2fba0d991b3872bad8a128c4816bc547e53cbc1ba9838d5c107df16a0c9a0111
47043e4823a6c21a8881de789b4185355330b5804629d23f6b43dd93f5265292
57cec4db574a95968187bcade12c9c9d98c28f3b2a41f751fe03a54597002e8e
6d8ba81d1b60a18707722a1f2b62dad48a6acced95a1933f49a68b5016620b93
6dbc07845a99a250f0a65bae59a6364dd2915ab8b516c19fbecffad20099c7b5
79dc5d32ab06d909d8565847ff4857fac1101096b8793e7d9065c4fb49033251
803b2a9f6bad0794919c893aff445bcca329b3eb5183aa0e482b7b602655e081
843e67ad522a908162007f4b7601819a5bbfef00e38ac7aec778766da8b7b2ab
ae79dcc3eb016922caa1d095cfd936446bc65a46bb3364b242dfc556f7e3c6a8
be5c4f71eea822cbdcaefcf92963ab573e903f75a60b8bc0793e4eec935a1187
c599c554590d1a336ffcb9627f6caaac34b6228f60e15f5f25454bff38facb7e
fd7b4a21981e9d86de41dba75185c948797d7c4f10944f8a202bee6fe8f03b7b