helping-deskforquery.com Open in urlscan Pro
2606:4700:3030::6815:53e9 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://www.redheadsinc.com/update
Effective URL:
https://helping-deskforquery.com/AFCU/login
Submission: On April 21 via api (April 21st 2023, 10:52:50 pm UTC) from BE — Scanned from DE

Summary HTTP 13 Redirects Links 11 Behaviour Indicators

Summary

This website contacted 5 IPs in 3 countries across 4 domains to perform 13 HTTP transactions. The main IP is 2606:4700:3030::6815:53e9, located in United States and belongs to CLOUDFLARENET, US. The main domain is helping-deskforquery.com.
TLS certificate: Issued by GTS CA 1P5 on April 11th 2023. Valid for: 3 months.

This is the only time helping-deskforquery.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Generic Cloudflare (Online) America First Credit Union (Banking)

Domain & IP information

	IP Address	AS Autonomous System
2 3	104.196.59.135 104.196.59.135	15169 (GOOGLE) (GOOGLE)
1 8	2606:4700:303... 2606:4700:3030::6815:53e9	13335 (CLOUDFLAR...) (CLOUDFLARENET)
4	104.18.29.228 104.18.29.228	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2a00:1450:400... 2a00:1450:4001:828::200a	15169 (GOOGLE) (GOOGLE)
13	5

3 104.196.59.135 (North Charleston, United States) 2 redirects

ASN15169 (GOOGLE, US)
PTR: 135.59.196.104.bc.googleusercontent.com

www.redheadsinc.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

8 2606:4700:3030::6815:53e9 (United States) 1 redirects

ASN13335 (CLOUDFLARENET, US)

helping-deskforquery.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 104.18.29.228 (None, )

ASN13335 (CLOUDFLARENET, US)

secure.americafirst.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:828::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

ajax.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
8	helping-deskforquery.com 1 redirects helping-deskforquery.com	210 KB
4	americafirst.com secure.americafirst.com — Cisco Umbrella Rank: 436330	9 KB
3	redheadsinc.com 2 redirects www.redheadsinc.com	902 B
1	googleapis.com ajax.googleapis.com — Cisco Umbrella Rank: 607	31 KB
13	4

	Domain	Requested by
8	helping-deskforquery.com	1 redirects www.redheadsinc.com helping-deskforquery.com
4	secure.americafirst.com	helping-deskforquery.com
3	www.redheadsinc.com	2 redirects
1	ajax.googleapis.com	helping-deskforquery.com
13	4

This site contains links to these domains. Also see Links.

Domain
www.americafirst.com
secure.americafirst.com
portal.hud.gov
www.ncua.gov

Subject Issuer	Validity	Valid
www.redheadsinc.com R3	`2023-01-21` - `2023-04-21`	3 months	crt.sh
*.helping-deskforquery.com GTS CA 1P5	`2023-04-11` - `2023-07-10`	3 months	crt.sh
sni.cloudflaressl.com Cloudflare Inc ECC CA-3	`2023-04-11` - `2024-04-10`	a year	crt.sh
upload.video.google.com GTS CA 1C3	`2023-04-03` - `2023-06-26`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://helping-deskforquery.com/AFCU/login
Frame ID: 784BDFA7837DAF8360A1A7A5A4B2FDE9
Requests: 17 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

America First Credit Union

Page URL History Show full URLs

https://www.redheadsinc.com/update HTTP 301
http://www.redheadsinc.com/update/ HTTP 301
https://www.redheadsinc.com/update/ Page URL
https://helping-deskforquery.com/AFCU/login Page URL
https://helping-deskforquery.com/cdn-cgi/phish-bypass?atok=ZqRez7g8hv9HAGsCGaz4Tbbu80k0j2op6k2XHEOtGfQ-168211... HTTP 301
https://helping-deskforquery.com/AFCU/login Page URL
https://helping-deskforquery.com/AFCU/login Page URL

Detected technologies

jQuery (JavaScript Libraries) Expand

Overall confidence: 100%
Detected patterns

/([\d.]+)/jquery(?:\.min)?\.js
jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?

Page Statistics

13
Requests

92 %
HTTPS

50 %
IPv6

4
Domains

4
Subdomains

5
IPs

3
Countries

250 kB
Transfer

1785 kB
Size

4
Cookies

11 Outgoing links

These are links going to different origins than the main page.

URL: https://www.americafirst.com/

Search URL Search Domain Scan URL

URL: https://secure.americafirst.com/#/enroll
Title: Enroll Now

Search URL Search Domain Scan URL

URL: https://secure.americafirst.com/#/forgot-password
Title: Forgot Password

Search URL Search Domain Scan URL

URL: https://www.americafirst.com/about/contact/
Title: Contact Us

Search URL Search Domain Scan URL

URL: https://www.americafirst.com/about/disclosures/membership-agreement.cfm
Title: terms

Search URL Search Domain Scan URL

URL: https://www.americafirst.com/about/contact/branches.html
Title: branch locator

Search URL Search Domain Scan URL

URL: http://portal.hud.gov/hudportal/HUD?src=/program_offices/fair_housing_equal_opp

Search URL Search Domain Scan URL

URL: https://www.ncua.gov/support-services/share-insurance-fund

Search URL Search Domain Scan URL

URL: https://www.americafirst.com/documents/membership-agreement.pdf#privacyPolicy
Title: Privacy Policy

Search URL Search Domain Scan URL

URL: https://www.americafirst.com/documents/marketing-email-opt-out.pdf
Title: Email Opt Out Procedure

Search URL Search Domain Scan URL

URL: https://www.americafirst.com/content/dam/pdfs/FTEU%20Fraud%20Alerts.pdf
Title: Fraud Alert Text/SMS Notification Terms and Conditions

Search URL Search Domain Scan URL

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://www.redheadsinc.com/update HTTP 301
http://www.redheadsinc.com/update/ HTTP 301
https://www.redheadsinc.com/update/ Page URL
https://helping-deskforquery.com/AFCU/login Page URL
https://helping-deskforquery.com/cdn-cgi/phish-bypass?atok=ZqRez7g8hv9HAGsCGaz4Tbbu80k0j2op6k2XHEOtGfQ-1682117561-0-%2FAFCU%2Flogin HTTP 301
https://helping-deskforquery.com/AFCU/login Page URL
https://helping-deskforquery.com/AFCU/login Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0

https://www.redheadsinc.com/update HTTP 301
http://www.redheadsinc.com/update/ HTTP 301
https://www.redheadsinc.com/update/

Request Chain 4

https://helping-deskforquery.com/cdn-cgi/phish-bypass?atok=ZqRez7g8hv9HAGsCGaz4Tbbu80k0j2op6k2XHEOtGfQ-1682117561-0-%2FAFCU%2Flogin HTTP 301
https://helping-deskforquery.com/AFCU/login

13 HTTP transactions
4 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2

200

/
www.redheadsinc.com/update/
Redirect Chain

https://www.redheadsinc.com/update
http://www.redheadsinc.com/update/
https://www.redheadsinc.com/update/

380 B
497 B

110ms
110ms

Document
text/html

104.196.59.135
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL: https://www.redheadsinc.com/update/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 104.196.59.135 North Charleston, United States, ASN15169 (GOOGLE, US),
Reverse DNS: 135.59.196.104.bc.googleusercontent.com
Software: nginx / WP Engine
Resource Hash

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

cache-control: max-age=600, must-revalidate
content-encoding: br
content-type: text/html
date: Fri, 21 Apr 2023 22:52:41 GMT
etag: W/"17c-5f9c6690f3b40-gzip"
last-modified: Thu, 20 Apr 2023 15:44:05 GMT
server: nginx
vary: Accept-Encoding Accept-Encoding Accept-Encoding Accept-Encoding,Cookie
x-cache: HIT: 1
x-cache-group: normal
x-cacheable: SHORT
x-powered-by: WP Engine

Redirect headers

Connection: keep-alive
Content-Length: 162
Content-Type: text/html
Date: Fri, 21 Apr 2023 22:52:40 GMT
Keep-Alive: timeout=20
Location: https://www.redheadsinc.com/update/
Server: nginx

GET
H2 200 login Show response
helping-deskforquery.com/AFCU/ 4 KB
2 KB 148ms
12ms Document
text/html 2606:4700:3030::6815:53e9
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://helping-deskforquery.com/AFCU/login

Requested by

Host: www.redheadsinc.com
URL: https://www.redheadsinc.com/update/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700:3030::6815:53e9 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

2be19a8b52fbf9826f39491fe2110fc04dd6a5e9fb713a000c2660afbf5c910b

Security Headers

Name	Value
X-Frame-Options	SAMEORIGIN

Request headers

Referer: https://www.redheadsinc.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

cf-ray: 7bb932e61a3e2beb-FRA
content-encoding: gzip
content-type: text/html; charset=UTF-8
date: Fri, 21 Apr 2023 22:52:41 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G8zy3VnK6cs3veFWnlx7A3SMbxOFwWQ5b5Jy%2F0AgSvvCjAfhwxDmHXW5ZKYL5h1QicuiJQQqz5DJ7uzY0%2FLUFw7pGUZ7OD7p1EcaUsUMbVouwiQCE5TdNLM6v0nhcVF9k5Q5rOx164KwnOZMdYDy6Ljujc9d%2Bt4%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare
vary: Accept-Encoding
x-frame-options: SAMEORIGIN

GET
H2 200 cf.errors.css
helping-deskforquery.com/cdn-cgi/styles/ 24 KB
5 KB 9ms
8ms Stylesheet
text/css 2606:4700:3030::6815:53e9
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://helping-deskforquery.com/cdn-cgi/styles/cf.errors.css

Requested by

Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700:3030::6815:53e9 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

1103290e25ebda2712abe344a87facbac00ddaba712729be9fe5feef807bf91b

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	DENY

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/AFCU/login
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

date: Fri, 21 Apr 2023 22:52:41 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 18 Apr 2023 16:29:34 GMT
server: cloudflare
etag: W/"643ec56e-5e44"
x-frame-options: DENY
vary: Accept-Encoding
content-type: text/css
cache-control: max-age=7200, public
cf-ray: 7bb932e63a542beb-FRA
expires: Sat, 22 Apr 2023 00:52:41 GMT

GET
H2 200 icon-exclamation.png
helping-deskforquery.com/cdn-cgi/images/ 452 B
540 B 7ms
7ms Image
image/png 2606:4700:3030::6815:53e9
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://helping-deskforquery.com/cdn-cgi/images/icon-exclamation.png?1376755637

Requested by

Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/cdn-cgi/styles/cf.errors.css

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700:3030::6815:53e9 , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

f1591a5221136c49438642155691ae6c68e25b7241f3d7ebe975b09a77662016

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	DENY

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/cdn-cgi/styles/cf.errors.css
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

date: Fri, 21 Apr 2023 22:52:41 GMT
x-content-type-options: nosniff
last-modified: Tue, 18 Apr 2023 16:29:34 GMT
server: cloudflare
etag: "643ec56e-1c4"
x-frame-options: DENY
vary: Accept-Encoding
content-type: image/png
cache-control: max-age=7200, public
accept-ranges: bytes
cf-ray: 7bb932e67a802beb-FRA
content-length: 452
expires: Sat, 22 Apr 2023 00:52:41 GMT

GET
H2

200

https://helping-deskforquery.com/cdn-cgi/phish-bypass?atok=ZqRez7g8hv9HAGsCGaz4Tbbu80k0j2op6k2XHEOtGfQ-1682117561-0-%2FAFCU%2Flogin
https://helping-deskforquery.com/AFCU/login

192 B
525 B

949ms
948ms

Document
text/html

2606:4700:3030::6815:53e9
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://helping-deskforquery.com/AFCU/login
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:3030::6815:53e9 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 132be03c8c9db7608f259244074dc7aea6860a22020c4a6a1786dda4bc80a664

Request headers

Referer: https://helping-deskforquery.com/AFCU/login
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 7bb932fe1b102beb-FRA
content-encoding: br
content-type: text/html; charset=UTF-8
date: Fri, 21 Apr 2023 22:52:46 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FvK7OFgFN0TqZEeTJuHIkK7rLECXdfZbzYzEZjVLCZGsW54JPoBmjdowi%2By4e1s5EZ3KSnIPQOCDoCk0DbCP2nCQJUL3wpecYASPN6SonSoQeqonRybzuwgf6EtLgNPGfX2Sly9KENZ1h6jDIQzWQFVVKhExEXs%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare

Redirect headers

cache-control: private, no-cache
cf-ray: 7bb932fe0b002beb-FRA
content-length: 167
content-type: text/html
date: Fri, 21 Apr 2023 22:52:45 GMT
location: https://helping-deskforquery.com/AFCU/login
server: cloudflare
x-content-type-options: nosniff
x-frame-options: DENY

GET
H2 200 Primary Request login Show response
helping-deskforquery.com/AFCU/ 63 KB
17 KB 1437ms
1435ms Document
text/html 2606:4700:3030::6815:53e9
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://helping-deskforquery.com/AFCU/login
Requested by: Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:3030::6815:53e9 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: d65875873cabc4fb2d0b8c78fd8c179725cb5fb9ac598fe7a81a526a16db6452

Request headers

Referer: https://helping-deskforquery.com/AFCU/login
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cache-control: no-store, no-cache, must-revalidate
cf-cache-status: DYNAMIC
cf-ray: 7bb9330a5f672beb-FRA
content-encoding: br
content-type: text/html; charset=UTF-8
date: Fri, 21 Apr 2023 22:52:48 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
pragma: no-cache
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SzjChe5Y39xIlMz595gzb62mEWMJIopAdeMeqID099%2FBrvk%2F3w%2FodmHHFPnr6tn8uAU5R2RT4L8wSoy%2FhxckA76%2BbTmgRw1Q3pjUkL1eXfsh698IPVgSV34XVdrW9cvNTe9wn8MZ3d8tU7yBu0vSFuURjAF17kE%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare

GET
H2 404 app.76ff82e5.css
secure.americafirst.com/css/ 0
0 459ms
273ms Stylesheet
text/html 104.18.29.228
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://secure.americafirst.com/css/app.76ff82e5.css
Requested by: Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 104.18.29.228 -, , ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: /
Resource Hash

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

GET
H3 200 chunk-vendors.eab46e62.css
helping-deskforquery.com/AFCU/assets/css/ 886 KB
94 KB 133ms
133ms Stylesheet
text/css 2606:4700:3030::6815:53e9
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://helping-deskforquery.com/AFCU/assets/css/chunk-vendors.eab46e62.css
Requested by: Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login
Protocol: H3
Security: QUIC, , AES_128_GCM
Server: 2606:4700:3030::6815:53e9 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 3afdc7f310e2b1aab09770184598bd862fe4c0a042febc1e54f54c4b8e6a133c

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/AFCU/login
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

date: Fri, 21 Apr 2023 22:52:48 GMT
content-encoding: br
cf-cache-status: REVALIDATED
last-modified: Fri, 25 Feb 2022 03:58:02 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Sqc0b1kF%2Bs56lWke5ZYuGEK%2F7FfeU4fY4WnZkbB7kpx4ewa5U0Tj2J1SF4SFLNxBQKLiARitM1xmIF95KiDrSPzT9KniRw6VESg1j3QZj2cDLVnBnA2LqBGzLN2yOQqVX3Vk%2BKc9Q5xumKvuxB3CtQ8KmX%2Bvk8Q%3D"}],"group":"cf-nel","max_age":604800}
content-type: text/css
cache-control: max-age=14400
cf-ray: 7bb933135b3a2bcf-FRA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

GET
H2 404 app.48c40f3c.js
secure.americafirst.com/js/ 0
0 453ms
266ms Script
text/html 104.18.29.228
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://secure.americafirst.com/js/app.48c40f3c.js
Requested by: Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 104.18.29.228 -, , ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: /
Resource Hash

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

GET
H2 404 chunk-vendors.662cf618.js
secure.americafirst.com/js/ 0
0 455ms
268ms Script
text/html 104.18.29.228
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://secure.americafirst.com/js/chunk-vendors.662cf618.js
Requested by: Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 104.18.29.228 -, , ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: /
Resource Hash

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

GET
H3 200 2.css
helping-deskforquery.com/AFCU/assets/css/ 700 KB
91 KB 150ms
149ms Stylesheet
text/css 2606:4700:3030::6815:53e9
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://helping-deskforquery.com/AFCU/assets/css/2.css
Requested by: Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login
Protocol: H3
Security: QUIC, , AES_128_GCM
Server: 2606:4700:3030::6815:53e9 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 6bec0843de82ee85e6cd579670cba1d1956913ac3933142e78bde4f42a0582df

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/AFCU/login
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

date: Fri, 21 Apr 2023 22:52:48 GMT
content-encoding: br
cf-cache-status: REVALIDATED
last-modified: Fri, 25 Feb 2022 04:00:56 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UPT%2FgskYMy6hdUb7aJlMRA%2Fa1gi7muF9EviYKjGsEqvSiIrXRrVJLDyVU%2Fu7XVdND%2FFZpu00mPHl%2FyffmSubCY0gzi28h9pLMViwOmoIyxdSrbDVlu%2B8DkKhOA67iJzhguPKV3EY4vJvF9s5WACWzIVNAdTt7yE%3D"}],"group":"cf-nel","max_age":604800}
content-type: text/css
cache-control: max-age=14400
cf-ray: 7bb933135b3c2bcf-FRA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

GET
DATA 200
OK truncated
/ 3 KB
0 Image
image/png

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 83b34f00b6612015c941c3865d2c047ae5ce567f13530491ac4ed773b13b1bd3

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

Content-Type: image/png

GET
H2 200 logo-desktop-inverse.a3a99f3a.png
secure.americafirst.com/img/ 9 KB
9 KB 302ms
185ms Image
image/png 104.18.29.228
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://secure.americafirst.com/img/logo-desktop-inverse.a3a99f3a.png

Requested by

Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

104.18.29.228 -, , ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

c9a0078a7b8e70e1437317247095c89510a6c40bdb3bb37a26318133e2c1ab54

Security Headers

Name	Value
Strict-Transport-Security	max-age=2592000

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

date: Fri, 21 Apr 2023 22:52:48 GMT
strict-transport-security: max-age=2592000
cf-cache-status: HIT
last-modified: Fri, 14 Oct 2022 03:48:34 GMT
server: cloudflare
etag: W/"8898-1665719314000"
vary: Accept-Encoding
content-type: image/png
x-oneagent-js-injection: true
cache-control: public, max-age=14400
server-timing: dtRpid;desc="-1035540807", dtSInfo;desc="0"
accept-ranges: bytes
cf-ray: 7bb933148a3c35e5-FRA
content-length: 8898
expires: Sat, 22 Apr 2023 02:52:48 GMT

GET
DATA 200
OK truncated
/ 2 KB
0 Image
image/png

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: a6690102b24638424202c679e3c3fafe83bdaa641e40dca06968bcad77f70821

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

Content-Type: image/png

GET
DATA 200
OK truncated
/ 3 KB
0 Image
image/png

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: df808b2ea829eac97e99d46d91fa6a005269d58a9dfd57ff40f7084e6f027f7b

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

Content-Type: image/png

GET
H2 200 jquery.min.js Show response
ajax.googleapis.com/ajax/libs/jquery/3.5.1/ 87 KB
31 KB 147ms
37ms Script
text/javascript 2a00:1450:4001:828::200a
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js

Requested by

Host: helping-deskforquery.com
URL: https://helping-deskforquery.com/AFCU/login

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:828::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://helping-deskforquery.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

date: Thu, 20 Apr 2023 01:19:29 GMT
content-encoding: gzip
x-content-type-options: nosniff
age: 163999
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/hosted-libraries-pushers
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-length: 31021
x-xss-protection: 0
last-modified: Fri, 08 May 2020 07:05:03 GMT
server: sffe
cross-origin-opener-policy: same-origin; report-to="hosted-libraries-pushers"
vary: Accept-Encoding
report-to: {"group":"hosted-libraries-pushers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers"}]}
content-type: text/javascript; charset=UTF-8
access-control-allow-origin: *
cache-control: public, max-age=31536000, stale-while-revalidate=2592000
accept-ranges: bytes
timing-allow-origin: *
expires: Fri, 19 Apr 2024 01:19:29 GMT

GET
DATA 200
OK truncated
/ 3 KB
0 Image
image/png

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 986dae282bc4d35f7234bbf7c3eafd4b4bb990b89143be1f5c8a8aa4a04ee2b4

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36

Response headers

Content-Type: image/png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Generic Cloudflare (Online) America First Credit Union (Banking)

3 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

boolean| credentialless function| $ function| jQuery

4 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Domain/Path	Expires	Name / Value
.helping-deskforquery.com/	1970-01-20 11:16:43	Name: __cf_mw_byp Value: ZqRez7g8hv9HAGsCGaz4Tbbu80k0j2op6k2XHEOtGfQ-1682117561-0-/AFCU/login
helping-deskforquery.com/	1970-01-20 11:15:21	Name: chk Value: test
helping-deskforquery.com/	1969-12-31 23:59:59	Name: PHPSESSID Value: 25263480de74d7952a3b7d06f5a7c671
.americafirst.com/	1970-01-20 11:15:19	Name: __cf_bm Value: ATdD6o24PI4wtn7CqDsWqteMF3tr6lJ4k.Pn1vUWdzs-1682117568-0-AV3qcp62pj39LmlZBAVz8cctNDCymTJvbjk1vEf4JpdM9/oY/gTB0678o4H0zHSOoiVtaMxB8rcwbl7u0JJgUns=

3 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
network	error	URL: https://secure.americafirst.com/js/app.48c40f3c.js Message: Failed to load resource: the server responded with a status of 404 ()
network	error	URL: https://secure.americafirst.com/js/chunk-vendors.662cf618.js Message: Failed to load resource: the server responded with a status of 404 ()
network	error	URL: https://secure.americafirst.com/css/app.76ff82e5.css Message: Failed to load resource: the server responded with a status of 404 ()

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

ajax.googleapis.com
helping-deskforquery.com
secure.americafirst.com
www.redheadsinc.com
104.18.29.228
104.196.59.135
2606:4700:3030::6815:53e9
2a00:1450:4001:828::200a
1103290e25ebda2712abe344a87facbac00ddaba712729be9fe5feef807bf91b
132be03c8c9db7608f259244074dc7aea6860a22020c4a6a1786dda4bc80a664
2be19a8b52fbf9826f39491fe2110fc04dd6a5e9fb713a000c2660afbf5c910b
3afdc7f310e2b1aab09770184598bd862fe4c0a042febc1e54f54c4b8e6a133c
6bec0843de82ee85e6cd579670cba1d1956913ac3933142e78bde4f42a0582df
83b34f00b6612015c941c3865d2c047ae5ce567f13530491ac4ed773b13b1bd3
986dae282bc4d35f7234bbf7c3eafd4b4bb990b89143be1f5c8a8aa4a04ee2b4
a6690102b24638424202c679e3c3fafe83bdaa641e40dca06968bcad77f70821
c9a0078a7b8e70e1437317247095c89510a6c40bdb3bb37a26318133e2c1ab54
d65875873cabc4fb2d0b8c78fd8c179725cb5fb9ac598fe7a81a526a16db6452
df808b2ea829eac97e99d46d91fa6a005269d58a9dfd57ff40f7084e6f027f7b
f1591a5221136c49438642155691ae6c68e25b7241f3d7ebe975b09a77662016
f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d

helping-deskforquery.com Open in urlscan Pro 2606:4700:3030::6815:53e9 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

13 Requests

92 %HTTPS

50 %IPv6

4 Domains

4 Subdomains

5 IPs

3 Countries

250 kBTransfer

1785 kBSize

4 Cookies

11 Outgoing links

Page URL History

Redirected requests

13 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 4 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

3 JavaScript Global Variables

4 Cookies

3 Console Messages

Indicators

helping-deskforquery.com Open in urlscan Pro
2606:4700:3030::6815:53e9 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

13
Requests

92 %
HTTPS

50 %
IPv6

4
Domains

4
Subdomains

5
IPs

3
Countries

250 kB
Transfer

1785 kB
Size

4
Cookies

13 HTTP transactions
4 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!