fnbo.194-59-31-80.cprapid.com Open in urlscan Pro
194.59.31.80 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
http://fnbo.194-59-31-80.cprapid.com/
Effective URL:
https://fnbo.194-59-31-80.cprapid.com/login.php
Submission Tags: @ecarlesi threat phishing fnbo Search All
Submission: On June 25 via api (June 25th 2024, 8:41:11 pm UTC) from IT — Scanned from IT

Summary HTTP 11 Redirects Links 5 Behaviour Indicators

Summary

This website contacted 2 IPs in 1 countries across 2 domains to perform 11 HTTP transactions. The main IP is 194.59.31.80, located in Bulgaria and belongs to VIRTUO, CA. The main domain is fnbo.194-59-31-80.cprapid.com.
TLS certificate: Issued by R11 on June 25th 2024. Valid for: 3 months.

This is the only time fnbo.194-59-31-80.cprapid.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: First National Bank of Omaha (Banking)

Domain & IP information

	IP Address		AS Autonomous System
1 10	194.59.31.80 194.59.31.80		399486 (VIRTUO) (VIRTUO)
11	2

10 194.59.31.80 (Bulgaria) 1 redirects

ASN399486 (VIRTUO, CA)

fnbo.194-59-31-80.cprapid.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
10	cprapid.com 1 redirects fnbo.194-59-31-80.cprapid.com	253 KB
0	securebanklogin.com Failed auth.securebanklogin.com Failed www.securebanklogin.com Failed
11	2

	Domain	Requested by
10	fnbo.194-59-31-80.cprapid.com	1 redirects fnbo.194-59-31-80.cprapid.com
0	www.securebanklogin.com Failed
0	auth.securebanklogin.com Failed	fnbo.194-59-31-80.cprapid.com
11	3

This site contains links to these domains. Also see Links.

Domain
auth.securebanklogin.com
www.securebanklogin.com
www.fnbo.com

Subject Issuer	Validity	Valid
cpanel.fnbo.194-59-31-80.cprapid.com R11	`2024-06-25` - `2024-09-23`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://fnbo.194-59-31-80.cprapid.com/login.php
Frame ID: C969F9A470768B7CAF8C400969907006
Requests: 11 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Sign in

Page URL History Show full URLs

http://fnbo.194-59-31-80.cprapid.com/ HTTP 307
https://fnbo.194-59-31-80.cprapid.com/ HTTP 302
https://fnbo.194-59-31-80.cprapid.com/login.php Page URL

Detected technologies

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

\.php(?:$|\?)

Page Statistics

11
Requests

82 %
HTTPS

0 %
IPv6

2
Domains

3
Subdomains

2
IPs

1
Countries

253 kB
Transfer

252 kB
Size

1
Cookies

5 Outgoing links

These are links going to different origins than the main page.

URL: https://auth.securebanklogin.com/?brand=fnbo
Title: Need help signing in?

Search URL Search Domain Scan URL

URL: https://www.securebanklogin.com/auth/fnbo/forgot-user-id
Title: Forgot User ID?

Search URL Search Domain Scan URL

URL: https://auth.securebanklogin.com/help/login
Title: Need help?

Search URL Search Domain Scan URL

URL: https://www.fnbo.com/privacy-policy/
Title: Privacy Policy

Search URL Search Domain Scan URL

URL: https://www.fnbo.com/security-center/
Title: Security Statement

Search URL Search Domain Scan URL

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

http://fnbo.194-59-31-80.cprapid.com/ HTTP 307
https://fnbo.194-59-31-80.cprapid.com/ HTTP 302
https://fnbo.194-59-31-80.cprapid.com/login.php Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

11 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	Primary Request login.php Show response fnbo.194-59-31-80.cprapid.com/ Redirect Chain http://fnbo.194-59-31-80.cprapid.com/ https://fnbo.194-59-31-80.cprapid.com/ https://fnbo.194-59-31-80.cprapid.com/login.php	14 KB 14 KB	382ms 382ms	Document text/html	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Full URL https://fnbo.194-59-31-80.cprapid.com/login.php Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash `5565f512aa63d117f4550e76339a1f1a0ac20b1f0a2a4da1b296417d95327f00` Request headers Accept-Language it-IT,it;q=0.9;q=0.9 Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Response headers Connection Keep-Alive Content-Type text/html; charset=UTF-8 Date Tue, 25 Jun 2024 20:41:07 GMT Keep-Alive timeout=5, max=99 Server Apache Transfer-Encoding chunked Redirect headers Connection Keep-Alive Content-Length 0 Content-Type text/html; charset=UTF-8 Date Tue, 25 Jun 2024 20:41:07 GMT Keep-Alive timeout=5, max=100 Server Apache location login.php
GET H/1.1	200 OK	okta-sign-in.min.css fnbo.194-59-31-80.cprapid.com/fnbo_files/	215 KB 216 KB	88ms 49ms	Stylesheet text/css	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Full URL https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/login.php Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash `ea8d801deb6776d5aaf273dfbc42d503fdaaa6f51c8934d0961e3f2a1ba13ceb` Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/login.php Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:07 GMT Last-Modified Mon, 22 May 2023 17:33:04 GMT Server Apache Content-Type text/css Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=98 Content-Length 220615
GET		/ auth.securebanklogin.com/	0 0

GET H/1.1	200 OK	custom-signin.241e0fb439244dc50c5929c0513a6765.css fnbo.194-59-31-80.cprapid.com/fnbo_files/	2 KB 2 KB	145ms 53ms	Stylesheet text/css	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Full URL https://fnbo.194-59-31-80.cprapid.com/fnbo_files/custom-signin.241e0fb439244dc50c5929c0513a6765.css Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/login.php Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash `dcc89f32e3f978bd4c2e313916b6267abd287eea87daec0e5c049150fd9062aa` Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/login.php Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:07 GMT Last-Modified Mon, 22 May 2023 17:33:04 GMT Server Apache Content-Type text/css Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 1866
GET H/1.1	200 OK	fnbo-simple-green.svg fnbo.194-59-31-80.cprapid.com/fnbo_files/	2 KB 2 KB	172ms 62ms	Image image/svg+xml	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Show image Full URL https://fnbo.194-59-31-80.cprapid.com/fnbo_files/fnbo-simple-green.svg Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/login.php Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash `acf4af3d7cda611d7d3f64fffe00bde4c3ad92dd6bb45ba3596f085c674987c2` Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/login.php Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:07 GMT Last-Modified Mon, 22 May 2023 17:33:12 GMT Server Apache Content-Type image/svg+xml Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 1624
GET H/1.1	200 OK	logo-equal-housing-lender.png fnbo.194-59-31-80.cprapid.com/fnbo_files/	19 KB 19 KB	158ms 57ms	Image image/png	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Show image Full URL https://fnbo.194-59-31-80.cprapid.com/fnbo_files/logo-equal-housing-lender.png Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/login.php Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash `c605c016ef2e50c11792b9813e19ce69d04a85c39dfaa96d13b369ee7f002a59` Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/login.php Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:07 GMT Last-Modified Mon, 22 May 2023 17:33:14 GMT Server Apache Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 19437
GET H/1.1	404 Not Found	montserrat-okta-light-webfont.woff fnbo.194-59-31-80.cprapid.com/font/	0 0	45ms 44ms	Font text/html	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Full URL https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-light-webfont.woff Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Origin https://fnbo.194-59-31-80.cprapid.com Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:08 GMT Server Apache Connection Keep-Alive Keep-Alive timeout=5, max=97 Content-Length 315 Content-Type text/html; charset=iso-8859-1
GET H/1.1	404 Not Found	montserrat-okta-regular-webfont.woff fnbo.194-59-31-80.cprapid.com/font/	0 0	44ms 44ms	Font text/html	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Full URL https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-regular-webfont.woff Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Origin https://fnbo.194-59-31-80.cprapid.com Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:08 GMT Server Apache Connection Keep-Alive Keep-Alive timeout=5, max=99 Content-Length 315 Content-Type text/html; charset=iso-8859-1
GET		favicon.ico www.securebanklogin.com/	0 0

GET H/1.1	404 Not Found	montserrat-okta-regular-webfont.ttf fnbo.194-59-31-80.cprapid.com/font/	0 0	45ms 45ms	Font text/html	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Full URL https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-regular-webfont.ttf Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Origin https://fnbo.194-59-31-80.cprapid.com Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:08 GMT Server Apache Connection Keep-Alive Keep-Alive timeout=5, max=96 Content-Length 315 Content-Type text/html; charset=iso-8859-1
GET H/1.1	404 Not Found	montserrat-okta-light-webfont.ttf fnbo.194-59-31-80.cprapid.com/font/	0 0	42ms 42ms	Font text/html	194.59.31.80 VIRTUO
General Check archive.org Show headers Download Go to Full URL https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-light-webfont.ttf Requested by Host: fnbo.194-59-31-80.cprapid.com URL: https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 194.59.31.80 , Bulgaria, ASN399486 (VIRTUO, CA), Reverse DNS Software Apache / Resource Hash Request headers sec-ch-ua "Google Chrome";v="126", "Not:A-Brand";v="8", "Chromium";v="126" Referer https://fnbo.194-59-31-80.cprapid.com/fnbo_files/okta-sign-in.min.css Origin https://fnbo.194-59-31-80.cprapid.com Accept-Language it-IT,it;q=0.9;q=0.9 sec-ch-ua-mobile ?0 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua-platform "Win32" Response headers Date Tue, 25 Jun 2024 20:41:08 GMT Server Apache Connection Keep-Alive Keep-Alive timeout=5, max=98 Content-Length 315 Content-Type text/html; charset=iso-8859-1

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain: auth.securebanklogin.com
URL: https://auth.securebanklogin.com/?brand=fnbo

Domain: www.securebanklogin.com
URL: https://www.securebanklogin.com/favicon.ico

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: First National Bank of Omaha (Banking)

3 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

undefined| event object| fence object| sharedStorage

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			auth.securebanklogin.com/	1970-01-21 07:11:48	Name: DT Value: DI1fbyP5mhdT3Od5SMb4smrYQ

5 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
recommendation	warning	URL: https://fnbo.194-59-31-80.cprapid.com/login.php Message: [DOM] Found 2 elements with non-unique id #okta-signin-username: (More info: https://goo.gl/9p2vKq) %o %o
network	error	URL: https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-regular-webfont.woff Message: Failed to load resource: the server responded with a status of 404 (Not Found)
network	error	URL: https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-light-webfont.woff Message: Failed to load resource: the server responded with a status of 404 (Not Found)
network	error	URL: https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-light-webfont.ttf Message: Failed to load resource: the server responded with a status of 404 (Not Found)
network	error	URL: https://fnbo.194-59-31-80.cprapid.com/font/montserrat-okta-regular-webfont.ttf Message: Failed to load resource: the server responded with a status of 404 (Not Found)

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

auth.securebanklogin.com
fnbo.194-59-31-80.cprapid.com
www.securebanklogin.com
auth.securebanklogin.com
www.securebanklogin.com
194.59.31.80
5565f512aa63d117f4550e76339a1f1a0ac20b1f0a2a4da1b296417d95327f00
acf4af3d7cda611d7d3f64fffe00bde4c3ad92dd6bb45ba3596f085c674987c2
c605c016ef2e50c11792b9813e19ce69d04a85c39dfaa96d13b369ee7f002a59
dcc89f32e3f978bd4c2e313916b6267abd287eea87daec0e5c049150fd9062aa
ea8d801deb6776d5aaf273dfbc42d503fdaaa6f51c8934d0961e3f2a1ba13ceb

fnbo.194-59-31-80.cprapid.com Open in urlscan Pro 194.59.31.80 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

11 Requests

82 %HTTPS

0 %IPv6

2 Domains

3 Subdomains

2 IPs

1 Countries

253 kBTransfer

252 kBSize

1 Cookies

5 Outgoing links

Page URL History

Redirected requests

11 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Failed requests

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

3 JavaScript Global Variables

1 Cookies

5 Console Messages

Indicators

fnbo.194-59-31-80.cprapid.com Open in urlscan Pro
194.59.31.80 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

11
Requests

82 %
HTTPS

0 %
IPv6

2
Domains

3
Subdomains

2
IPs

1
Countries

253 kB
Transfer

252 kB
Size

1
Cookies

11 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!