![](/screenshots/ebe4cd57-22b7-44c7-98f4-e58d7783d4de.png)
nshvid.click
Open in
urlscan Pro
104.219.248.121
Malicious Activity!
Public Scan
Effective URL: https://nshvid.click/step1.php?diYfMZOf&inID=imoTPndyoEBiCtYREBkfMDePxpVutLwyidlVGNPQZI
Submission Tags: #phishing @ecarlesi Search All
Submission: On November 08 via api from FI — Scanned from FI
Summary
TLS certificate: Issued by Sectigo RSA Domain Validation Secure ... on November 7th 2022. Valid for: a year.
This is the only time nshvid.click was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: NHS UK (Healthcare)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 5 | 104.219.248.121 104.219.248.121 | 22612 (NAMECHEAP...) (NAMECHEAP-NET) | |
1 | 69.16.175.10 69.16.175.10 | 20446 (STACKPATH...) (STACKPATH-CDN) | |
2 | 96.16.146.114 96.16.146.114 | 16625 (AKAMAI-AS) (AKAMAI-AS) | |
7 | 3 |
ASN22612 (NAMECHEAP-NET, US)
PTR: server162-5.web-hosting.com
nshvid.click |
ASN16625 (AKAMAI-AS, US)
PTR: a96-16-146-114.deploy.static.akamaitechnologies.com
assets.nhs.uk |
Apex Domain Subdomains |
Transfer | |
---|---|---|
5 |
nshvid.click
1 redirects
nshvid.click |
17 KB |
2 |
assets.nhs.uk
assets.nhs.uk — Cisco Umbrella Rank: 63914 |
35 KB |
1 |
jquery.com
code.jquery.com — Cisco Umbrella Rank: 959 |
30 KB |
7 | 3 |
Domain | Requested by | |
---|---|---|
5 | nshvid.click |
1 redirects
nshvid.click
|
2 | assets.nhs.uk |
nshvid.click
|
1 | code.jquery.com |
nshvid.click
|
7 | 3 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
nshvid.click Sectigo RSA Domain Validation Secure Server CA |
2022-11-07 - 2023-11-07 |
a year | crt.sh |
*.jquery.com Sectigo RSA Domain Validation Secure Server CA |
2022-08-03 - 2023-07-14 |
a year | crt.sh |
www.nhs.uk DigiCert TLS RSA SHA256 2020 CA1 |
2022-08-02 - 2023-08-02 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://nshvid.click/step1.php?diYfMZOf&inID=imoTPndyoEBiCtYREBkfMDePxpVutLwyidlVGNPQZI
Frame ID: 93309C4DA1A0834D28872E739C4D8EF9
Requests: 7 HTTP requests in this frame
Screenshot
![](/screenshots/ebe4cd57-22b7-44c7-98f4-e58d7783d4de.png)
Page Title
What is your name? - Book a coronavirus vaccination - NHSPage URL History Show full URLs
-
https://nshvid.click/
HTTP 302
https://nshvid.click/step1.php?diYfMZOf&inID=imoTPndyoEBiCtYREBkfMDePxpVutLwyidlVGNPQZI Page URL
Detected technologies
Detected patterns
- \.php(?:$|\?)
Detected patterns
- jquery[.-]([\d.]*\d)[^/]*\.js
- jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://nshvid.click/
HTTP 302
https://nshvid.click/step1.php?diYfMZOf&inID=imoTPndyoEBiCtYREBkfMDePxpVutLwyidlVGNPQZI Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
7 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
Primary Request
step1.php
nshvid.click/ Redirect Chain
|
13 KB 3 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
main.css
nshvid.click/css/ |
77 KB 10 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery-3.6.0.min.js
code.jquery.com/ |
87 KB 30 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
jquery.redirect.js
nshvid.click/js/ |
6 KB 2 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
functions.js
nshvid.click/js/ |
11 KB 2 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
FrutigerLTW01-55Roman.woff2
assets.nhs.uk/fonts/ |
17 KB 17 KB |
Font
application/octet-stream |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
FrutigerLTW01-65Bold.woff2
assets.nhs.uk/fonts/ |
17 KB 17 KB |
Font
application/octet-stream |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: NHS UK (Healthcare)15 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onbeforeinput object| oncontextlost object| oncontextrestored function| structuredClone object| launchQueue object| onbeforematch function| getScreenDetails function| queryLocalFonts object| navigation function| $ function| jQuery function| valid_credit_card function| clear_field function| submit function| expiry_format1 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
nshvid.click/ | Name: PHPSESSID Value: e0a95d1e50fcfe66cbac728c6b585b0d |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
assets.nhs.uk
code.jquery.com
nshvid.click
104.219.248.121
69.16.175.10
96.16.146.114
16df4867f34dfc9389823b16948a458d43970afcfc35f34a0622bfb543387d2a
6d69ae5c4892d35573385da52afebec92fb02feaf7670b0684c1b2aa6f2cfb98
886f640d4cb31c0114351f25e5eeba98b79e7ae405fcc2ca50aac6ed79ff8995
973ef58ab4a82d11e857b80ccaa4400e5630374b6ac0598932b75b3e0f844f1e
d6b1fb649879f431d69a0e888273cf865550b3ef7537b3365c1fe3eb3061868f
d7a61b8131c25f4f7949162fcf342c8ba52b0257756aaacf23aa948f0403c842
ff1523fb7389539c84c65aba19260648793bb4f5e29329d2ee8804bc37a3fe6e