![](/screenshots/fdd6d164-1e1b-4c09-9071-9918c0bcabc9.png)
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app
Open in
urlscan Pro
145.40.68.46
Malicious Activity!
Public Scan
Effective URL: https://r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app/login.html?bdjtxjqtk=5a99qxvdptpp3pxhwrvszu<yigcfsns=cinfpxkoffolprxljhqwb7bt19kh&gnxtwhq=bqvf...
Submission Tags: phishing
Submission: On August 10 via api from US — Scanned from NL
Summary
TLS certificate: Issued by R3 on July 12th 2022. Valid for: 3 months.
This is the only time r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Yahoo (Online)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 | 145.40.68.46 145.40.68.46 | 54825 (PACKET) (PACKET) | |
2 | 2a00:1288:110... 2a00:1288:110:c204::b000 | 34010 (YAHOO-IRD) (YAHOO-IRD) | |
3 | 2a00:1288:f03... 2a00:1288:f03d:1fa::4000 | 10310 (YAHOO-1) (YAHOO-1) | |
1 | 13.32.121.21 13.32.121.21 | 16509 (AMAZON-02) (AMAZON-02) | |
9 | 5 |
ASN54825 (PACKET, US)
PTR: am6-bnm00
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app |
ASN16509 (AMAZON-02, US)
PTR: server-13-32-121-21.fra60.r.cloudfront.net
sb.scorecardresearch.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
5 |
yahoo.com
udc.yahoo.com — Cisco Umbrella Rank: 2113 geo.yahoo.com — Cisco Umbrella Rank: 1234 fc.yahoo.com — Cisco Umbrella Rank: 1281 |
745 B |
1 |
scorecardresearch.com
sb.scorecardresearch.com — Cisco Umbrella Rank: 145 |
342 B |
1 |
ic0.app
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app |
315 KB |
0 |
yimg.com
Failed
l.yimg.com Failed |
|
9 | 4 |
Domain | Requested by | |
---|---|---|
3 | fc.yahoo.com |
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app
|
1 | sb.scorecardresearch.com |
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app
|
1 | geo.yahoo.com |
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app
|
1 | udc.yahoo.com |
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app
|
1 | r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app | |
0 | l.yimg.com Failed |
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app
|
9 | 6 |
This site contains links to these domains. Also see Links.
Domain |
---|
uk.yahoo.com |
policies.oath.com |
Subject Issuer | Validity | Valid | |
---|---|---|---|
boundary.dfinity.network R3 |
2022-07-12 - 2022-10-10 |
3 months | crt.sh |
yahoo.com DigiCert SHA2 High Assurance Server CA |
2022-07-12 - 2023-01-04 |
6 months | crt.sh |
ui.aps.ads.yahoo.com DigiCert SHA2 High Assurance Server CA |
2022-07-25 - 2022-09-14 |
2 months | crt.sh |
*.scorecardresearch.com Amazon |
2022-01-29 - 2023-02-27 |
a year | crt.sh |
This page contains 2 frames:
Primary Page:
https://r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app/login.html?bdjtxjqtk=5a99qxvdptpp3pxhwrvszu<yigcfsns=cinfpxkoffolprxljhqwb7bt19kh&gnxtwhq=bqvfxhpskrao8yvfmqtqhm9cpgww&lhklws=ssojdpilekao3ts4hc24zmwjle&vbjkwquxk=siwtouigicbltxho&thwv=qtsv12lkvwbthhn2c19b2mbaz5qj&otzdxwzver=ym3gmegknusba5b67hcqvxozmf&pbnaobcqx=6whydrkoxtpcu9twtjvafvtj2&eegvsqbsu=m4jf81fy9ndyvgl7gzcuxt
Frame ID: EB2465BCBDFE4611FE1074FF046D97E5
Requests: 15 HTTP requests in this frame
Frame:
data://truncated
Frame ID: 373A767ED62C8AA9F2EC4D3F4668A44B
Requests: 1 HTTP requests in this frame
Screenshot
![](/screenshots/fdd6d164-1e1b-4c09-9071-9918c0bcabc9.png)
Page Title
Yahoo – loginPage URL History Show full URLs
-
http://r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app/login.html?bdjtxjqtk=5a99qxvdptpp3pxhwrvszu<yigcfsns=cinfpxkoffolprxljhqwb...
HTTP 307
https://r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app/login.html?bdjtxjqtk=5a99qxvdptpp3pxhwrvszu<yigcfsns=cinfpxkoffolprxljhqwb... Page URL
Page Statistics
3 Outgoing links
These are links going to different origins than the main page.
Search URL Search Domain Scan URL
Title: Terms
Search URL Search Domain Scan URL
Title: Privacy
Search URL Search Domain Scan URL
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
http://r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app/login.html?bdjtxjqtk=5a99qxvdptpp3pxhwrvszu<yigcfsns=cinfpxkoffolprxljhqwb7bt19kh&gnxtwhq=bqvfxhpskrao8yvfmqtqhm9cpgww&lhklws=ssojdpilekao3ts4hc24zmwjle&vbjkwquxk=siwtouigicbltxho&thwv=qtsv12lkvwbthhn2c19b2mbaz5qj&otzdxwzver=ym3gmegknusba5b67hcqvxozmf&pbnaobcqx=6whydrkoxtpcu9twtjvafvtj2&eegvsqbsu=m4jf81fy9ndyvgl7gzcuxt
HTTP 307
https://r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app/login.html?bdjtxjqtk=5a99qxvdptpp3pxhwrvszu<yigcfsns=cinfpxkoffolprxljhqwb7bt19kh&gnxtwhq=bqvfxhpskrao8yvfmqtqhm9cpgww&lhklws=ssojdpilekao3ts4hc24zmwjle&vbjkwquxk=siwtouigicbltxho&thwv=qtsv12lkvwbthhn2c19b2mbaz5qj&otzdxwzver=ym3gmegknusba5b67hcqvxozmf&pbnaobcqx=6whydrkoxtpcu9twtjvafvtj2&eegvsqbsu=m4jf81fy9ndyvgl7gzcuxt Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
9 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
Primary Request
login.html
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app/ Redirect Chain
|
453 KB 315 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
7 KB 0 |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
g-r-min.js
l.yimg.com/rq/darla/3-23-1/js/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
g-r-min.js
l.yimg.com/rq/darla/3-23-1/js/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
205 KB 0 |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
46 KB 0 |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
1 KB 0 |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
POST H2 |
yql
udc.yahoo.com/v2/public/ |
0 299 B |
XHR
text/plain |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
POST H2 |
c
geo.yahoo.com/ |
43 B 446 B |
Ping
image/gif |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
client.php
fc.yahoo.com/sdarla/php/ |
0 0 |
Script
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
1 KB 0 |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ |
1 KB 0 |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
p
sb.scorecardresearch.com/ |
43 B 342 B |
Image
image/gif |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET DATA |
truncated
/ Frame 373A |
60 KB 0 |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
client.php
fc.yahoo.com/sdarla/php/ |
0 0 |
Script
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
client.php
fc.yahoo.com/sdarla/php/ |
0 0 |
Script
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers |
Failed requests
These URLs were requested, but there was no response received. You will also see them in the list above.
- Domain
- l.yimg.com
- URL
- http://l.yimg.com/rq/darla/3-23-1/js/g-r-min.js
- Domain
- l.yimg.com
- URL
- http://l.yimg.com/rq/darla/3-23-1/js/g-r-min.js
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Yahoo (Online)34 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| 0 object| 1 object| oncontextlost object| oncontextrestored function| structuredClone object| launchQueue object| onbeforematch function| getScreenDetails function| queryLocalFonts object| navigation function| _0x2b76 function| _0x1928 object| Zlib number| pageStartTime undefined| DARLA object| $sf undefined| $yac boolean| sf_auto_3-10-7-2022 function| savepage_ShadowLoader function| templatePage object| I13N_config string| mKeyPrefix object| COUNTRY_CODES_MAP object| mbrConfig object| darlaConfig string| bucket string| currentURL string| doneURL boolean| isASDK string| comscoreBeaconUrl object| YAHOO object| rapidInstance number| lastApvTime object| DARLA_CONFIG1 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
.ic0.app/ | Name: rxx Value: 2efdxrw5r7n.2tv6ynpm&v=1 |
12 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
Source | Level | URL Text |
---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
fc.yahoo.com
geo.yahoo.com
l.yimg.com
r4jwn-5yaaa-aaaad-qdbjq-cai.raw.ic0.app
sb.scorecardresearch.com
udc.yahoo.com
l.yimg.com
13.32.121.21
145.40.68.46
2a00:1288:110:c204::b000
2a00:1288:f03d:1fa::4000
0fdefe26bac6a6b0b06fe67984582f887af70b7da25d6cb1b401f9074db58338
10b59e4a2b98df779964e859a6edaec936aadabae97f753c747fcbed7769efcf
11b4310df6e27428e7cf86f316abdc10148ac5cf3c8bbbd5b85c88b9f6290c59
4daf5a5ec393bf23d0d32fa4b01c58318cd56dc97c12d5cf4c6afb1efa682046
4f47ef8ff3dad2a78360ab207cf35ff2905622511c0426109f6e225052cf5637
84e4ea328500595da6141364964bb4d7a83023f2cd7072aadda7a47d2cc629f4
a8ce16e3e81873ddcc952b5029fdb0d75bd8e7e18df5a8ec098bfb96a9ac9d26
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
c9ae70ecf66dc825ef19017652b75ac20c3324dae6bfb3cf08fe2666db1304b9
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855