safelyppe.com - urlscan.io

Summary

This website contacted 3 IPs in 2 countries across 2 domains to perform 2 HTTP transactions. The main IP is 184.154.139.171, located in Chicago, United States and belongs to SINGLEHOP-LLC, US. The main domain is safelyppe.com.
TLS certificate: Issued by cPanel, Inc. Certification Authority on September 8th 2020. Valid for: 3 months.

This is the only time safelyppe.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Unicaja Banco (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1 2	91.103.219.222 91.103.219.222	198047 (UKWEB-EQX) (UKWEB-EQX)
1	184.154.139.171 184.154.139.171	32475 (SINGLEHOP...) (SINGLEHOP-LLC)
2	3

2 91.103.219.222 (United Kingdom) 1 redirects

ASN198047 (UKWEB-EQX, GB)
PTR: curiosity.servers.prgn.misp.co.uk

southwirral.wirral.sch.uk	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 184.154.139.171 (Chicago, United States)

ASN32475 (SINGLEHOP-LLC, US)
PTR: ds1247.tmddedicated.com

safelyppe.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
2	southwirral.wirral.sch.uk 1 redirects southwirral.wirral.sch.uk	319 B
1	safelyppe.com safelyppe.com	54 KB
2	2

	Domain	Requested by
2	southwirral.wirral.sch.uk	1 redirects
1	safelyppe.com
2	2

This site contains no links.

Subject Issuer	Validity	Valid
southwirral.wirral.sch.uk Let's Encrypt Authority X3	`2020-10-21` - `2021-01-19`	3 months	crt.sh
safelyppe.com cPanel, Inc. Certification Authority	`2020-09-08` - `2020-12-07`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://safelyppe.com/liberbank/action/
Frame ID: D0EEB0FC28D898B4FD62539872319793
Requests: 7 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page URL History Show full URLs

https://southwirral.wirral.sch.uk/liber_bank HTTP 301
https://southwirral.wirral.sch.uk/liber_bank/ Page URL
https://safelyppe.com/liberbank/action/ Page URL

Detected technologies

Apache (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /(?:Apache(?:$|\/([\d.]+)|[^/-])|(?:^|\b)HTTPD)/i

Page Statistics

2
Requests

100 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

3
IPs

2
Countries

55 kB
Transfer

159 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://southwirral.wirral.sch.uk/liber_bank HTTP 301
https://southwirral.wirral.sch.uk/liber_bank/ Page URL
https://safelyppe.com/liberbank/action/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0

https://southwirral.wirral.sch.uk/liber_bank HTTP 301
https://southwirral.wirral.sch.uk/liber_bank/

2 HTTP transactions
5 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	/ Show response southwirral.wirral.sch.uk/liber_bank/ Redirect Chain https://southwirral.wirral.sch.uk/liber_bank https://southwirral.wirral.sch.uk/liber_bank/	85 B 207 B	55ms 54ms	Document text/html	91.103.219.222 UKWEB-EQX
General Check archive.org Show headers Download Go to Full URL https://southwirral.wirral.sch.uk/liber_bank/ Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 91.103.219.222 , United Kingdom, ASN198047 (UKWEB-EQX, GB), Reverse DNS curiosity.servers.prgn.misp.co.uk Software Apache / Resource Hash `442482756e1400939fbbe8e0d71b8075e18e2e8463aab13a0e13c034f628954d` Request headers :method GET :authority southwirral.wirral.sch.uk :scheme https :path /liber_bank/ pragma no-cache cache-control no-cache upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site none sec-fetch-mode navigate sec-fetch-user ?1 sec-fetch-dest document accept-encoding gzip, deflate, br accept-language en-US Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers status 200 date Mon, 09 Nov 2020 13:12:42 GMT server Apache vary Accept-Encoding,User-Agent accept-ranges none content-encoding gzip referrer-policy no-referrer-when-downgrade content-length 97 content-type text/html; charset=UTF-8 Redirect headers status 301 date Mon, 09 Nov 2020 13:12:42 GMT server Apache location https://southwirral.wirral.sch.uk/liber_bank/ content-length 253 content-type text/html; charset=iso-8859-1
GET H2	200	Primary Request / Show response safelyppe.com/liberbank/action/	95 KB 54 KB	919ms 655ms	Document text/html	184.154.139.171 SINGLEHOP-LLC
General Check archive.org Show headers Download Go to Full URL https://safelyppe.com/liberbank/action/ Protocol H2 Security TLS 1.3, , AES_128_GCM Server 184.154.139.171 Chicago, United States, ASN32475 (SINGLEHOP-LLC, US), Reverse DNS ds1247.tmddedicated.com Software Apache / Resource Hash `911ecb79e6cef03d6e1403829d99b530eab52d7752bd691b15b93f0a718cc5a6` Request headers :method GET :authority safelyppe.com :scheme https :path /liberbank/action/ pragma no-cache cache-control no-cache upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site cross-site sec-fetch-mode navigate sec-fetch-dest document referer https://southwirral.wirral.sch.uk/liber_bank/ accept-encoding gzip, deflate, br accept-language en-US Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Referer https://southwirral.wirral.sch.uk/liber_bank/ Response headers status 200 date Mon, 09 Nov 2020 13:12:42 GMT server Apache last-modified Mon, 19 Oct 2020 13:32:36 GMT etag "17cf7-5b20625b94500-gzip" accept-ranges bytes vary Accept-Encoding,User-Agent content-encoding gzip content-type text/html
GET DATA	200 OK	truncated /	5 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `efaf2a12480ea1ea4859d6a0a77203481a9bc002efdb1543af544286b8f92669` Request headers Referer User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	36 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `64670b1dea230d687508a386583536d4f8ba90f224c17f0be67ecb08bb3ea4db` Request headers Referer User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	37 B 0		Image image/gif
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `bb229a48bee31f5d54ca12dc9bd960c63a671f0d4be86a054c1d324a44499d96` Request headers Referer User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Content-Type image/gif
GET DATA	200 OK	truncated /	21 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `78b2ea3fa852a4185b3d55cbc82bb7fd9f1d3214670f3ffe82ac3d7789c07373` Request headers Referer User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	2 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `881f2a0b66f75dc6228a6f0e90f3db94150b5f98fd7ffd773735e69bae9096a2` Request headers Referer User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers Content-Type image/png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Unicaja Banco (Banking)

4 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

function| showDirectoryPicker function| showOpenFilePicker function| showSaveFilePicker object| trustedTypes

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

safelyppe.com
southwirral.wirral.sch.uk
184.154.139.171
91.103.219.222
442482756e1400939fbbe8e0d71b8075e18e2e8463aab13a0e13c034f628954d
64670b1dea230d687508a386583536d4f8ba90f224c17f0be67ecb08bb3ea4db
78b2ea3fa852a4185b3d55cbc82bb7fd9f1d3214670f3ffe82ac3d7789c07373
881f2a0b66f75dc6228a6f0e90f3db94150b5f98fd7ffd773735e69bae9096a2
911ecb79e6cef03d6e1403829d99b530eab52d7752bd691b15b93f0a718cc5a6
bb229a48bee31f5d54ca12dc9bd960c63a671f0d4be86a054c1d324a44499d96
efaf2a12480ea1ea4859d6a0a77203481a9bc002efdb1543af544286b8f92669

safelyppe.com Open in urlscan Pro 184.154.139.171 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page URL History Show full URLs

Detected technologies

Page Statistics

2 Requests

100 %HTTPS

0 %IPv6

2 Domains

2 Subdomains

3 IPs

2 Countries

55 kBTransfer

159 kBSize

0 Cookies

0 Outgoing links

Page URL History

Redirected requests

2 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 5 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

4 JavaScript Global Variables

0 Cookies

Indicators

safelyppe.com Open in urlscan Pro
184.154.139.171 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

2
Requests

100 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

3
IPs

2
Countries

55 kB
Transfer

159 kB
Size

0
Cookies

2 HTTP transactions
5 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!