wellssecurecnnect.com
Open in
urlscan Pro
31.41.44.127
Malicious Activity!
Public Scan
Effective URL: https://wellssecurecnnect.com/auth/login/present?origin=cob&error=yes&LOB=CONS&destination=brokerage
Submission: On October 27 via manual from IN
Summary
TLS certificate: Issued by Let's Encrypt Authority X3 on October 15th 2020. Valid for: 3 months.
This is the only time wellssecurecnnect.com was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Wells Fargo (Banking)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 1 | 67.199.248.11 67.199.248.11 | 396982 (GOOGLE-PR...) (GOOGLE-PRIVATE-CLOUD) | |
1 | 185.120.57.202 185.120.57.202 | 202933 (CLOUDSOLU...) (CLOUDSOLUTIONS) | |
11 | 31.41.44.127 31.41.44.127 | 56577 (ASRELINK) (ASRELINK) | |
1 | 2606:4700:10:... 2606:4700:10::ac43:1e94 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 | 2001:4de0:ac1... 2001:4de0:ac19::1:b:2b | 20446 (HIGHWINDS3) (HIGHWINDS3) | |
14 | 4 |
ASN202933 (CLOUDSOLUTIONS, RU)
PTR: 72658.hosted-by-virtualdc.ru
appod.live |
ASN56577 (ASRELINK, RU)
PTR: ugsqkng.example.com
wellssecurecnnect.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
11 |
wellssecurecnnect.com
wellssecurecnnect.com |
291 KB |
1 |
jquery.com
code.jquery.com |
24 KB |
1 |
getbootstrap.com
getbootstrap.com |
19 KB |
1 |
appod.live
appod.live |
422 B |
1 |
bit.ly
1 redirects
bit.ly |
253 B |
14 | 5 |
Domain | Requested by | |
---|---|---|
11 | wellssecurecnnect.com |
wellssecurecnnect.com
|
1 | code.jquery.com |
wellssecurecnnect.com
|
1 | getbootstrap.com |
wellssecurecnnect.com
|
1 | appod.live | |
1 | bit.ly | 1 redirects |
14 | 5 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
appod.live Let's Encrypt Authority X3 |
2020-10-24 - 2021-01-22 |
3 months | crt.sh |
wellssecurecnnect.com Let's Encrypt Authority X3 |
2020-10-15 - 2021-01-13 |
3 months | crt.sh |
sni.cloudflaressl.com Cloudflare Inc ECC CA-3 |
2020-08-12 - 2021-08-12 |
a year | crt.sh |
jquery.org Sectigo RSA Domain Validation Secure Server CA |
2020-10-06 - 2021-10-16 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://wellssecurecnnect.com/auth/login/present?origin=cob&error=yes&LOB=CONS&destination=brokerage
Frame ID: 4765573EE13F35E5B2763BF18D60D63E
Requests: 14 HTTP requests in this frame
Screenshot
Page URL History Show full URLs
-
https://bit.ly/2TmMBEj
HTTP 301
https://appod.live/XaVs4ecPhbU Page URL
- https://wellssecurecnnect.com/auth/login/present?origin=cob&error=yes&LOB=CONS&destination=brokerage Page URL
Detected technologies
Bootstrap (Web Frameworks) ExpandDetected patterns
- html /<link[^>]+?href="[^"]*bootstrap(?:\.min)?\.css/i
- script /(?:\/([\d.]+))?(?:\/js)?\/bootstrap(?:\.min)?\.js/i
Nginx (Web Servers) Expand
Detected patterns
- headers server /nginx(?:\/([\d.]+))?/i
jQuery (JavaScript Libraries) Expand
Detected patterns
- script /jquery[.-]([\d.]*\d)[^/]*\.js/i
- script /jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?/i
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://bit.ly/2TmMBEj
HTTP 301
https://appod.live/XaVs4ecPhbU Page URL
- https://wellssecurecnnect.com/auth/login/present?origin=cob&error=yes&LOB=CONS&destination=brokerage Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
Request Chain 0- https://bit.ly/2TmMBEj HTTP 301
- https://appod.live/XaVs4ecPhbU
14 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
XaVs4ecPhbU
appod.live/ Redirect Chain
|
141 B 422 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
Primary Request
present
wellssecurecnnect.com/auth/login/ |
9 KB 3 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
bootstrap.min.css
getbootstrap.com/docs/4.0/dist/css/ |
141 KB 19 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
logo.png
wellssecurecnnect.com/auth/login/img/ |
10 KB 11 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
search.png
wellssecurecnnect.com/auth/login/img/ |
8 KB 8 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
front.svg
wellssecurecnnect.com/auth/login/img/ |
226 KB 165 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
enter.png
wellssecurecnnect.com/auth/login/img/ |
19 KB 20 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
right.png
wellssecurecnnect.com/auth/login/img/ |
47 KB 48 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
copyright.png
wellssecurecnnect.com/auth/login/img/ |
15 KB 15 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery-3.2.1.slim.min.js
code.jquery.com/ |
68 KB 24 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
popper.min.js
wellssecurecnnect.com/assets/js/vendor/ |
0 0 |
Script
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
bootstrap.min.js
wellssecurecnnect.com/dist/js/ |
0 0 |
Script
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
wellsfargosans-sbd.woff2
wellssecurecnnect.com/auth/login/fonts/ |
22 KB 22 KB |
Font
application/octet-stream |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
bootstrap.min.js
wellssecurecnnect.com/dist/js/ |
0 0 |
Script
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Wells Fargo (Banking)6 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
function| showDirectoryPicker function| showOpenFilePicker function| showSaveFilePicker object| trustedTypes function| $ function| jQuery0 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
appod.live
bit.ly
code.jquery.com
getbootstrap.com
wellssecurecnnect.com
185.120.57.202
2001:4de0:ac19::1:b:2b
2606:4700:10::ac43:1e94
31.41.44.127
67.199.248.11
0b9367824f8c2541162774760de85fece2a68df92fb839f579cca4a39a1ad65e
0d29a42952f4540a7ffccbe00a3a7b80854adff91dad9bc621f2fc39f22e3406
2c0f3dcfe93d7e380c290fe4ab838ed8cadff1596d62697f5444be460d1f876d
3cdbb7c670d62ff63af59c53b00804439e66908dc49fdd60318b287897200424
56aa57d4300e3c380288b8f0e5343314627a9bf841b7edd7e44470e604e72bd3
5cf3b1114212c74e3ee82dbfb9bfa26b67e4ce29e9788876a9ba50fdc01d329a
69fdf962ae4f469c936d9a1b6cc9d795233c6b9c990f26fc87b702192dfa7f64
6f9f94b0f754bc4536cc22ecd9b763e692c5faaa5410e0dc1e61d9ba8aaf3516
9365920887b11b33a3dc4ba28a0f93951f200341263e3b9cefd384798e4be398
9843ab395fb4cf414353b03927156a9d38c3cc3157469afd9ee97f2058445e39
ab9d8c97b35ed86b6224aca911aa304a0d7dbcbd28e00a4c6585b96e28ed30ba