customersactionrequired17-tk.preview-domain.com
Open in
urlscan Pro
2606:4700::6812:1878
Malicious Activity!
Public Scan
Effective URL: https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/authen
Submission: On August 13 via automatic, source openphish — Scanned from DE
Summary
TLS certificate: Issued by Cloudflare Inc ECC CA-3 on June 3rd 2022. Valid for: a year.
This is the only time customersactionrequired17-tk.preview-domain.com was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Citibank (Banking)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 25 | 2606:4700::68... 2606:4700::6812:1878 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 | 92.123.23.26 92.123.23.26 | () () | |
27 | 3 |
ASN13335 (CLOUDFLARENET, US)
customersactionrequired17-tk.preview-domain.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
25 |
preview-domain.com
1 redirects
customersactionrequired17-tk.preview-domain.com |
440 KB |
1 |
citi.com
online.citi.com |
106 KB |
27 | 2 |
Domain | Requested by | |
---|---|---|
25 | customersactionrequired17-tk.preview-domain.com |
1 redirects
customersactionrequired17-tk.preview-domain.com
|
1 | online.citi.com |
customersactionrequired17-tk.preview-domain.com
|
27 | 2 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
sni.cloudflaressl.com Cloudflare Inc ECC CA-3 |
2022-06-03 - 2023-06-02 |
a year | crt.sh |
online.citibank.com DigiCert SHA2 Extended Validation Server CA |
2022-05-03 - 2023-05-16 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/authen
Frame ID: 798D56B3785C982F6B0536680C60C790
Requests: 27 HTTP requests in this frame
Screenshot
Page Title
Sign On to Your Citi Account - CitibankPage URL History Show full URLs
-
https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/index.php?_branch_match_id=1086747696202540894&utm_mediu...
HTTP 307
https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/authen Page URL
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/index.php?_branch_match_id=1086747696202540894&utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXLzIsyC7TSywo0MvJzMvWNy2qCgjNzQ0oLE4CAFBmJDUiAAAA
HTTP 307
https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/authen Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
27 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
Primary Request
authen
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/ Redirect Chain
|
306 KB 51 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
styles.83727b5f4bed338db821.css
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
2 MB 246 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
citilogoredesign.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
2 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
050-location2x.svg
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
7 KB 7 KB |
Image
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
icon_globe_med-grey2x.svg
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
3 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
IE_warning.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
9 KB 10 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
qrsignon.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
964 B 1 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
phone-new.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
6 KB 6 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
laptop-and-phone-pairing-new.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
11 KB 11 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
laptop-and-phone-success-new.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
13 KB 13 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
EqualHousing.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
2 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
googlePlay3x.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
24 KB 25 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
appStore3x.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
20 KB 20 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
social-media_facebook3x.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
445 B 779 B |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
social-media_twitter3x.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
1 KB 2 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
social-media_youtube3x.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
1 KB 1 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
320_Citi-PLT3x.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
11 KB 12 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
1440_Citi-PLT3x.png
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/ |
27 KB 28 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
LSO_4959.jpg
online.citi.com/nga-lite-signon/ |
106 KB 106 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Light.woff
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Bold.woff
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Bold.woff
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/cds-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Bold.ttf
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Light.ttf
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/cbol-pre-login-static-assets/commonui-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H3 |
Interstate-Bold.ttf
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/cds-assets/fonts/interstate/ |
0 0 |
Font
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
Interstate-Light.woff
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/cds-assets/fonts/interstate/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
Interstate-Bold.woff
customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/commonui-assets/fonts/interstate/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Failed requests
These URLs were requested, but there was no response received. You will also see them in the list above.
- Domain
- customersactionrequired17-tk.preview-domain.com
- URL
- https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/cds-assets/fonts/interstate/Interstate-Light.woff
- Domain
- customersactionrequired17-tk.preview-domain.com
- URL
- https://customersactionrequired17-tk.preview-domain.com/NuCILast/NuCILast/1/assets/PsychoTDB/commonui-assets/fonts/interstate/Interstate-Bold.woff
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Citibank (Banking)8 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| oncontextlost object| oncontextrestored function| structuredClone object| launchQueue object| onbeforematch function| getScreenDetails function| queryLocalFonts object| navigation1 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
customersactionrequired17-tk.preview-domain.com/ | Name: cazanova Value: eaeeacb7dd368ab8cbd692539d889af111ca6c57 |
8 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
Source | Level | URL Text |
---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
customersactionrequired17-tk.preview-domain.com
online.citi.com
customersactionrequired17-tk.preview-domain.com
2606:4700::6812:1878
92.123.23.26
102503acef6077fcf8e42a856fb4904fcd74224a32d5d8efcd13236ac6309fed
280255d34c881ca94627b2a1bfe5a44b068487c6bd9da9d55a01f8763a3c7914
5394d11ec8ad7a5494bcdb65cd95f885388532e14fb45a747e249112389bd837
56a8588a55f9dfb0f9a2b30f06551d02e1ee21bff94b7166e881aab313b226cb
57a5bf447f9551448b59f1b92f11457277b3604d4bbb095561c83d2d5749a233
62920961d08702254a7deac2601d0481ee1c548fab440b64517c2d86c468843f
695788dc05d94be3b32060ffea15c1a4d74897bd32e5da7811e7ca76d82fc86b
6dfa343a68ef79e83fef5f7c705119d2473352190c609cf94c67ea99a29fa452
82b78ed4a68d13bb927ce09291b82255ae0f8d9b28afc70083a328a8977b7713
87c763c6b05015e55915d0a1e6647e4e5d0b996e78d79e1afe228dd33b68e65b
9fb1a45f9086b175ac43908c8bf9f26b85af266bde78a59594aab940ccba54bd
a079bb0d5590826bcc664715122004dff51e76c79608bc29f586c9388b623b77
a593628f2d5ba814f37fbcd3963162f094c2764d4b15d82464c2d1aef92f150f
b77f337d13fb0416c60878ca32e9e8f04e3df195ca40adbc4744c0c693b0abe8
be9b5382b4526ffd3306d0292122ce3599123f1cd543f52f3035b4f24fbf9de8
d8350bd4c020719237f8f3e206e3e58d2159c6325d6ab5e5e6147a630b4d8c00
dbdebfcc2ed9932006edcfc7f8190ca5c9a04ff737e990645712ccc33e5ce070
f23485e8b9c368f28f18a0bb110573df79c00ac3a2ca71d68017db100207639d
f378974fe6a831ae2f48d9191ea74eb21877d4964d5eedbc2810d8756ed13631