www.user-securepass.com
Open in
urlscan Pro
170.64.142.67
Malicious Activity!
Public Scan
Submitted URL: https://www.user-securepass.com/
Effective URL: https://www.user-securepass.com/main.php
Submission: On April 20 via automatic, source certstream-suspicious — Scanned from AU
Effective URL: https://www.user-securepass.com/main.php
Submission: On April 20 via automatic, source certstream-suspicious — Scanned from AU
Summary
This website contacted 6 IPs
in 2 countries
across 5 domains to perform 23 HTTP transactions.
The main IP is 170.64.142.67, located in
Sydney, Australia and
belongs to DIGITALOCEAN-ASN, US.
The main domain is www.user-securepass.com.
TLS certificate: Issued by cPanel, Inc. Certification Authority on April 20th 2023. Valid for: 3 months.
This is the only time www.user-securepass.com was scanned on urlscan.io!
TLS certificate: Issued by cPanel, Inc. Certification Authority on April 20th 2023. Valid for: 3 months.
This is the only time www.user-securepass.com was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: M&T Bank (Banking)Domain & IP information
| IP Address | AS Autonomous System | ||
|---|---|---|---|
| 1 10 | 170.64.142.67 170.64.142.67 | 14061 (DIGITALOC...) (DIGITALOCEAN-ASN) | |
| 1 | 54.192.150.35 54.192.150.35 | 16509 (AMAZON-02) (AMAZON-02) | |
| 2 | 54.192.150.67 54.192.150.67 | 16509 (AMAZON-02) (AMAZON-02) | |
| 2 | 13.33.33.69 13.33.33.69 | 16509 (AMAZON-02) (AMAZON-02) | |
| 2 | 13.224.250.95 13.224.250.95 | 16509 (AMAZON-02) (AMAZON-02) | |
| 23 | 6 |
1
54.192.150.35
(United States)
ASN16509 (AMAZON-02, US)
PTR: server-54-192-150-35.sin2.r.cloudfront.net
ASN16509 (AMAZON-02, US)
PTR: server-54-192-150-35.sin2.r.cloudfront.net
| www3.mtb.com |
2
54.192.150.67
(United States)
ASN16509 (AMAZON-02, US)
PTR: server-54-192-150-67.sin2.r.cloudfront.net
ASN16509 (AMAZON-02, US)
PTR: server-54-192-150-67.sin2.r.cloudfront.net
| 1.a79ab95c1589a13f8a4cab612bc71f9f7.com |
2
13.33.33.69
(United States)
ASN16509 (AMAZON-02, US)
PTR: server-13-33-33-69.sin2.r.cloudfront.net
ASN16509 (AMAZON-02, US)
PTR: server-13-33-33-69.sin2.r.cloudfront.net
| 1.b406929acabac9b095f124c81bdfcf57f.com |
2
13.224.250.95
(United States)
ASN16509 (AMAZON-02, US)
PTR: server-13-224-250-95.sin52.r.cloudfront.net
ASN16509 (AMAZON-02, US)
PTR: server-13-224-250-95.sin52.r.cloudfront.net
| 1.c81358859121583b7adf2ace89cb39f44.com |
| Apex Domain Subdomains |
Transfer | |
|---|---|---|
| 10 |
user-securepass.com
1 redirects
www.user-securepass.com |
1 MB |
| 2 |
c81358859121583b7adf2ace89cb39f44.com
1.c81358859121583b7adf2ace89cb39f44.com — Cisco Umbrella Rank: 34620 |
4 KB |
| 2 |
b406929acabac9b095f124c81bdfcf57f.com
1.b406929acabac9b095f124c81bdfcf57f.com — Cisco Umbrella Rank: 34850 |
4 KB |
| 2 |
a79ab95c1589a13f8a4cab612bc71f9f7.com
1.a79ab95c1589a13f8a4cab612bc71f9f7.com — Cisco Umbrella Rank: 34588 |
4 KB |
| 1 |
mtb.com
www3.mtb.com — Cisco Umbrella Rank: 236547 |
57 KB |
| 23 | 5 |
| Domain | Requested by | |
|---|---|---|
| 10 | www.user-securepass.com |
1 redirects
www.user-securepass.com
|
| 2 | 1.c81358859121583b7adf2ace89cb39f44.com |
www.user-securepass.com
1.c81358859121583b7adf2ace89cb39f44.com |
| 2 | 1.b406929acabac9b095f124c81bdfcf57f.com |
www.user-securepass.com
1.b406929acabac9b095f124c81bdfcf57f.com |
| 2 | 1.a79ab95c1589a13f8a4cab612bc71f9f7.com |
www.user-securepass.com
1.a79ab95c1589a13f8a4cab612bc71f9f7.com |
| 1 | www3.mtb.com |
www.user-securepass.com
www3.mtb.com |
| 23 | 5 |
This site contains no links.
| Subject Issuer | Validity | Valid | |
|---|---|---|---|
| user-securepass.com cPanel, Inc. Certification Authority |
2023-04-20 - 2023-07-19 |
3 months | crt.sh |
| www.mtb.com Entrust Certification Authority - L1M |
2022-08-29 - 2023-06-02 |
9 months | crt.sh |
| *.a79ab95c1589a13f8a4cab612bc71f9f7.com Sectigo RSA Domain Validation Secure Server CA |
2023-03-26 - 2024-04-04 |
a year | crt.sh |
| *.b406929acabac9b095f124c81bdfcf57f.com Sectigo RSA Domain Validation Secure Server CA |
2023-04-02 - 2024-04-07 |
a year | crt.sh |
| *.c81358859121583b7adf2ace89cb39f44.com Sectigo RSA Domain Validation Secure Server CA |
2023-04-02 - 2024-04-07 |
a year | crt.sh |
This page contains 4 frames:
Primary Page:
https://www.user-securepass.com/main.php
Frame ID: F330B6C9D93FD04C6F428C8924AA40BC
Requests: 18 HTTP requests in this frame
Frame:
https://1.a79ab95c1589a13f8a4cab612bc71f9f7.com/scripts/prod/crossdomain.html
Frame ID: 26F4861925BCC528CFF4A1975EA97B41
Requests: 2 HTTP requests in this frame
Frame:
https://1.b406929acabac9b095f124c81bdfcf57f.com/scripts/prod/crossdomain.html
Frame ID: 9AAA3274E25237885555ED64369F9112
Requests: 2 HTTP requests in this frame
Frame:
https://1.c81358859121583b7adf2ace89cb39f44.com/scripts/prod/crossdomain.html
Frame ID: FC25E9C1BB2F97636F32A1F85730F118
Requests: 2 HTTP requests in this frame
Screenshot
Page Title
Log in to M&T Online Banking or Commercial Treasury CenterNavigation MenuPage URL History Show full URLs
-
https://www.user-securepass.com/
HTTP 302
https://www.user-securepass.com/main.php Page URL
Detected technologies
Adobe Experience Manager
(CMS)
Expand
Overall confidence: 100%
Detected patterns
Detected patterns
- <div class="[^"]*aem-Grid
- /etc\.clientlibs/
PHP
(Programming Languages)
Expand
Overall confidence: 100%
Detected patterns
Detected patterns
- \.php(?:$|\?)
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://www.user-securepass.com/
HTTP 302
https://www.user-securepass.com/main.php Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
23 HTTP transactions
| Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
GET H/1.1 |
Primary Request
main.php
www.user-securepass.com/ Redirect Chain
|
59 KB 59 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
clientlib-base.css
www3.mtb.com/etc.clientlibs/mtb-web/clientlibs/ |
425 KB 57 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
mtb_app_wbk.js
www.user-securepass.com/css/ |
242 KB 243 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
cdsession.js
www.user-securepass.com/css/ |
605 KB 605 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
vendor.js
www.user-securepass.com/css/ |
236 KB 237 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
white%20logo.png
www.user-securepass.com/css/ |
5 KB 5 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
equal-housing-lender-logo.png
www.user-securepass.com/css/ |
1 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
fszullhwyai6bvj-desktop-720x816-update.jpeg
www.user-securepass.com/css/ |
26 KB 26 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
fszullhwyai6bvj.jpeg
www.user-securepass.com/css/ |
25 KB 25 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET BLOB |
c06d04a1-ae51-462b-a046-8be86020f147
https://www.user-securepass.com/ |
165 KB 0 |
Other
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET |
mandtbaltoweb-book.woff
www3.mtb.com/etc.clientlibs/mtb-web/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET |
mandtbaltoweb-light.woff
www3.mtb.com/etc.clientlibs/mtb-web/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
chevron_down.8adc6731.svg
www.user-securepass.com/css/ |
970 B 1 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET |
mandtbaltoweb-medium.woff
www3.mtb.com/etc.clientlibs/mtb-web/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET DATA |
truncated
/ |
89 B 0 |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET |
mandtbaltoweb-book.woff
www3.mtb.com/etc.clientlibs/axp-common/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET |
mandtbaltoweb-light.woff
www3.mtb.com/etc.clientlibs/axp-common/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
crossdomain.html
1.a79ab95c1589a13f8a4cab612bc71f9f7.com/scripts/prod/ Frame 26F4 |
221 B 557 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
crossdomain.html
1.b406929acabac9b095f124c81bdfcf57f.com/scripts/prod/ Frame 9AAA |
221 B 555 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
crossdomain.html
1.c81358859121583b7adf2ace89cb39f44.com/scripts/prod/ Frame FC25 |
221 B 557 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET |
mandtbaltoweb-medium.woff
www3.mtb.com/etc.clientlibs/axp-common/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
crossdomain2.12.0.5273.b96c35cc.min.js
1.a79ab95c1589a13f8a4cab612bc71f9f7.com/scripts/prod/ Frame 26F4 |
3 KB 3 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
crossdomain2.12.0.5273.b96c35cc.min.js
1.b406929acabac9b095f124c81bdfcf57f.com/scripts/prod/ Frame 9AAA |
3 KB 3 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
crossdomain2.12.0.5273.b96c35cc.min.js
1.c81358859121583b7adf2ace89cb39f44.com/scripts/prod/ Frame FC25 |
3 KB 3 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Failed requests
These URLs were requested, but there was no response received. You will also see them in the list above.
- Domain
- www3.mtb.com
- URL
- https://www3.mtb.com/etc.clientlibs/mtb-web/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/mandtbaltoweb-book.woff
- Domain
- www3.mtb.com
- URL
- https://www3.mtb.com/etc.clientlibs/mtb-web/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/mandtbaltoweb-light.woff
- Domain
- www3.mtb.com
- URL
- https://www3.mtb.com/etc.clientlibs/mtb-web/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/mandtbaltoweb-medium.woff
- Domain
- www3.mtb.com
- URL
- https://www3.mtb.com/etc.clientlibs/axp-common/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/mandtbaltoweb-book.woff
- Domain
- www3.mtb.com
- URL
- https://www3.mtb.com/etc.clientlibs/axp-common/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/mandtbaltoweb-light.woff
- Domain
- www3.mtb.com
- URL
- https://www3.mtb.com/etc.clientlibs/axp-common/clientlibs/clientlib-site/resources/fonts/MTB_Balto/Webfonts/mandtbaltoweb-medium.woff
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: M&T Bank (Banking)66 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
function| UIEvent boolean| credentialless object| cdwpb object| cdApi object| Utils object| customEventsObject object| cookiesUtils object| modalObject object| tealiumUtils function| Hashtable function| startsWith function| DomDataCollection function| IE_FingerPrint function| Mozilla_FingerPrint function| Opera_FingerPrint function| Timer function| getRandomPort object| ProxyCollector function| BlackberryLocationCollector function| detectFields string| SEP string| PAIR string| DEV function| FingerPrint function| urlEncode function| encode_deviceprint function| decode_deviceprint function| post_deviceprint function| post_fingerprints function| add_deviceprint function| form_add_data function| form_add_deviceprint string| HTML5 string| BLACKBERRY string| UNDEFINED string| GEO_LOCATION_DEFAULT_STRUCT object| geoLocator boolean| geoLocatorStatus function| detectDeviceCollectionAPIMode function| init function| startCollection function| stopCollection function| getGeolocationStruct function| HTML5LocationCollector object| UIEventCollector function| InteractionElement function| UIElementList function| activeXDetect function| stripIllegalChars function| stripFullPath object| BrowserDetect function| convertTimestampToGMT function| getTimestampInMillis function| debug function| $ function| jQuery function| Cookies function| forceIE89Synchronicity object| lazySizes function| populateUserId function| cdSession string| style string| d string| t string| m object| s5 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
| Domain/Path | Expires | Name / Value |
|---|---|---|
| www.user-securepass.com/ | Name: PHPSESSID Value: 7cdb0b86578a5d3e48f049e8d1717952 |
|
| .user-securepass.com/ | Name: cdContextId Value: 1 |
|
| .user-securepass.com/ | Name: bmuid Value: 1681980100143-FDCE4E7E-01ED-4755-B6ED-8F3DB6BB081A |
|
| www.user-securepass.com/ | Name: cdSessionId Value: adcdb29d-dee3-4bc9-af0e-947eb989c6fa |
|
| .user-securepass.com/ | Name: cdSNum Value: 1681980100916-sjn0000456-9146c389-3e7f-476b-a7e6-50114b00a108 |
14 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
| Source | Level | URL Text |
|---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
1.a79ab95c1589a13f8a4cab612bc71f9f7.com
1.b406929acabac9b095f124c81bdfcf57f.com
1.c81358859121583b7adf2ace89cb39f44.com
www.user-securepass.com
www3.mtb.com
www3.mtb.com
13.224.250.95
13.33.33.69
170.64.142.67
54.192.150.35
54.192.150.67
03cc12570299da2da582ed1f055f77f31f7d77899f1ada7ced1dfeea50068298
0a23512ea579554af1f2614d6dea6120d38660028fc7624c71a978478fae0eb6
25e521f17135f161c1f02f0555af227292ab009967c461380e3135c414f288e6
302462d4283c45e7405dcaf5036c9f1e34982c47baaa0a39c2b45e6cb9a203f4
46c43686825a8cb8bf832253977abfb4871e5d9014cb6912e8519c736a6253d3
50e6072d26098d48004a30addeecabd5b22b91e5ccdf9dd86f96459783e3ac23
68d12e8086357835fc398c26ffc15a2ad73d6c1ceb930e545982149af754e652
8e36f036be3313f66918b7f296388c199468b0ffb75d3f8908cd04f58d966964
9cdad69a4b967c882c3d8e9cb054e7334b7f8870e96427a5d20ae2d17eff2622
a06dcffedaadc56b236deaf03906e025341b8fe314430247de506bd37237d42e
b9b7a642f229db0bbc0a820e1eee063041d03ab631f868e8106c1aa1c4647b75
c565fe1dd5bd3d44d700ff4f06150a131c9582dcae6f60a083e6cfdf0dd34b1f
c5bac5c06dfc6a8b1547af4e6dfa0d784f70db7c92cfe1e97c45e962f0283d0c
ed305c6fbe8bfbc0a34f339f2430f89e03d49cf628945a0c126896d96760f86c