standardbank.tunnelto.dev

Summary

This website contacted 1 IPs in 2 countries across 2 domains to perform 5 HTTP transactions. The main IP is 2a09:8280:1:48de:ca2b:6d39:9790:f0da, located in United States and belongs to FLY, US. The main domain is standardbank.tunnelto.dev.
TLS certificate: Issued by R3 on January 20th 2024. Valid for: 3 months.

This is the only time standardbank.tunnelto.dev was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Standard Bank (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1 1	2a02:4780:23:... 2a02:4780:23:7ad9:92d4:3c7a:32d2:3273	47583 (AS-HOSTINGER) (AS-HOSTINGER)
1 6	2a09:8280:1:4... 2a09:8280:1:48de:ca2b:6d39:9790:f0da	40509 (FLY) (FLY)
5	1

1 2a02:4780:23:7ad9:92d4:3c7a:32d2:3273 (Meppel, Netherlands) 1 redirects

ASN47583 (AS-HOSTINGER, CY)

www.standardbk.click	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

6 2a09:8280:1:48de:ca2b:6d39:9790:f0da (United States) 1 redirects

ASN40509 (FLY, US)

standardbank.tunnelto.dev	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
6	tunnelto.dev 1 redirects standardbank.tunnelto.dev	24 KB
1	standardbk.click 1 redirects www.standardbk.click	362 B
5	2

	Domain	Requested by
6	standardbank.tunnelto.dev	1 redirects standardbank.tunnelto.dev
1	www.standardbk.click	1 redirects
5	2

This site contains no links.

Subject Issuer	Validity	Valid
*.tunnelto.dev R3	`2024-01-20` - `2024-04-19`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://standardbank.tunnelto.dev/standardBank/standard/app/password.php
Frame ID: B0EAA559E9C17448B41997F4EB8C50AB
Requests: 5 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Sign in

Page URL History Show full URLs

https://www.standardbk.click/ HTTP 302
https://standardbank.tunnelto.dev/standardBank/standard/ HTTP 302
https://standardbank.tunnelto.dev/standardBank/standard/app/password.php Page URL

Detected technologies

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

\.php(?:$|\?)

Page Statistics

5
Requests

100 %
HTTPS

100 %
IPv6

2
Domains

2
Subdomains

1
IPs

2
Countries

23 kB
Transfer

63 kB
Size

1
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://www.standardbk.click/ HTTP 302
https://standardbank.tunnelto.dev/standardBank/standard/ HTTP 302
https://standardbank.tunnelto.dev/standardBank/standard/app/password.php Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

5 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request password.php Show response standardbank.tunnelto.dev/standardBank/standard/app/ Redirect Chain https://www.standardbk.click/ https://standardbank.tunnelto.dev/standardBank/standard/ https://standardbank.tunnelto.dev/standardBank/standard/app/password.php	4 KB 2 KB	1584ms 1584ms	Document text/html	2a09:8280:1:48de:ca2b:6d39:9790:f0da FLY
General Check archive.org Show headers Download Go to Full URL https://standardbank.tunnelto.dev/standardBank/standard/app/password.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a09:8280:1:48de:ca2b:6d39:9790:f0da , United States, ASN40509 (FLY, US), Reverse DNS Software Fly/ba9e227a (2024-01-26) / PHP/8.0.30 Resource Hash `44d7c44d0c97501cae51f0cd180f75031463fcf366f0adb687808e2948ca8c9d` Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36 accept-language nl-NL,nl;q=0.9 Response headers cache-control no-store, no-cache, must-revalidate content-encoding br content-type text/html; charset=UTF-8 date Fri, 09 Feb 2024 09:05:13 GMT expires Thu, 19 Nov 1981 08:52:00 GMT fly-request-id 01HP6HT7FG9C2XCJRM7JNFE7SG-ams pragma no-cache server Fly/ba9e227a (2024-01-26) via 2 fly.io x-powered-by PHP/8.0.30 Redirect headers cache-control no-store, no-cache, must-revalidate content-length 0 content-type text/html; charset=UTF-8 date Fri, 09 Feb 2024 09:05:11 GMT expires Thu, 19 Nov 1981 08:52:00 GMT fly-request-id 01HP6HT503DCCCNC10XFGG8DBS-ams location ./app/password.php pragma no-cache server Fly/ba9e227a (2024-01-26) via 2 fly.io x-powered-by PHP/8.0.30
GET H2	200	bundle.css standardbank.tunnelto.dev/standardBank/standard/libraries/css/	11 KB 4 KB	4549ms 4548ms	Stylesheet text/css	2a09:8280:1:48de:ca2b:6d39:9790:f0da FLY
General Check archive.org Show headers Download Go to Full URL https://standardbank.tunnelto.dev/standardBank/standard/libraries/css/bundle.css Requested by Host: standardbank.tunnelto.dev URL: https://standardbank.tunnelto.dev/standardBank/standard/app/password.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a09:8280:1:48de:ca2b:6d39:9790:f0da , United States, ASN40509 (FLY, US), Reverse DNS Software Fly/ba9e227a (2024-01-26) / Resource Hash `de0155180c337684426db0246ce969f3ac30caf43499f932fe45e0b7ad003628` Request headers accept-language nl-NL,nl;q=0.9 Referer https://standardbank.tunnelto.dev/standardBank/standard/app/password.php User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36 Response headers date Fri, 09 Feb 2024 09:05:18 GMT content-encoding br via 2 fly.io last-modified Sun, 05 Dec 2021 01:33:00 GMT server Fly/ba9e227a (2024-01-26) fly-request-id 01HP6HT913FVHS2E9V2AMSJ2M1-ams etag "2dd9-5d25c1eda4b00" content-type text/css accept-ranges bytes
GET H2	200	ionic.bundle.css standardbank.tunnelto.dev/standardBank/standard/libraries/css/	19 KB 5 KB	1535ms 1535ms	Stylesheet text/css	2a09:8280:1:48de:ca2b:6d39:9790:f0da FLY
General Check archive.org Show headers Download Go to Full URL https://standardbank.tunnelto.dev/standardBank/standard/libraries/css/ionic.bundle.css Requested by Host: standardbank.tunnelto.dev URL: https://standardbank.tunnelto.dev/standardBank/standard/app/password.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a09:8280:1:48de:ca2b:6d39:9790:f0da , United States, ASN40509 (FLY, US), Reverse DNS Software Fly/ba9e227a (2024-01-26) / Resource Hash `3789296a3c60f4cfa82fd3c139d1d7ef968a06a4bab871f679562121a5869b44` Request headers accept-language nl-NL,nl;q=0.9 Referer https://standardbank.tunnelto.dev/standardBank/standard/app/password.php User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36 Response headers date Fri, 09 Feb 2024 09:05:15 GMT content-encoding br via 2 fly.io last-modified Sun, 05 Dec 2021 01:15:08 GMT server Fly/ba9e227a (2024-01-26) fly-request-id 01HP6HT914G9F51221JCXEHQ23-ams etag "4a2b-5d25bdef4df00" content-type text/css accept-ranges bytes
GET H2	200	sbg.css standardbank.tunnelto.dev/standardBank/standard/libraries/css/	26 KB 9 KB	2536ms 2536ms	Stylesheet text/css	2a09:8280:1:48de:ca2b:6d39:9790:f0da FLY
General Check archive.org Show headers Download Go to Full URL https://standardbank.tunnelto.dev/standardBank/standard/libraries/css/sbg.css Requested by Host: standardbank.tunnelto.dev URL: https://standardbank.tunnelto.dev/standardBank/standard/app/password.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a09:8280:1:48de:ca2b:6d39:9790:f0da , United States, ASN40509 (FLY, US), Reverse DNS Software Fly/ba9e227a (2024-01-26) / Resource Hash `c38cb2bd5c5a1f6c04f18f487bc6f488454aa2668777ab0d9e515cfdac74b78b` Request headers accept-language nl-NL,nl;q=0.9 Referer https://standardbank.tunnelto.dev/standardBank/standard/app/password.php User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36 Response headers date Fri, 09 Feb 2024 09:05:16 GMT content-encoding br via 2 fly.io last-modified Sun, 05 Dec 2021 02:37:58 GMT server Fly/ba9e227a (2024-01-26) fly-request-id 01HP6HT9145JYJJWRARCF61T88-ams etag "6619-5d25d07310d80" content-type text/css accept-ranges bytes
GET H2	200	sbg.png standardbank.tunnelto.dev/standardBank/standard/libraries/img/	3 KB 4 KB	3543ms 3542ms	Image image/png	2a09:8280:1:48de:ca2b:6d39:9790:f0da FLY
General Check archive.org Show headers Download Go to Show image Full URL https://standardbank.tunnelto.dev/standardBank/standard/libraries/img/sbg.png Requested by Host: standardbank.tunnelto.dev URL: https://standardbank.tunnelto.dev/standardBank/standard/app/password.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a09:8280:1:48de:ca2b:6d39:9790:f0da , United States, ASN40509 (FLY, US), Reverse DNS Software Fly/ba9e227a (2024-01-26) / Resource Hash `1a3aac076d48e18c6bd7547ca190a9b705f78d38cfc61e5a00f391b642c5adab` Request headers accept-language nl-NL,nl;q=0.9 Referer https://standardbank.tunnelto.dev/standardBank/standard/app/password.php User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Safari/537.36 Response headers date Fri, 09 Feb 2024 09:05:17 GMT via 2 fly.io last-modified Sun, 05 Dec 2021 01:15:18 GMT server Fly/ba9e227a (2024-01-26) fly-request-id 01HP6HT914EN9PFKSNDPHZ6M36-ams etag "dae-5d25bdf8d7580" content-type image/png accept-ranges bytes content-length 3502

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Standard Bank (Banking)

0 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			standardbank.tunnelto.dev/	1969-12-31 23:59:59	Name: PHPSESSID Value: r17nmdvh6o7h4ejb9ufc6jcra1

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

standardbank.tunnelto.dev
www.standardbk.click
2a02:4780:23:7ad9:92d4:3c7a:32d2:3273
2a09:8280:1:48de:ca2b:6d39:9790:f0da
1a3aac076d48e18c6bd7547ca190a9b705f78d38cfc61e5a00f391b642c5adab
3789296a3c60f4cfa82fd3c139d1d7ef968a06a4bab871f679562121a5869b44
44d7c44d0c97501cae51f0cd180f75031463fcf366f0adb687808e2948ca8c9d
c38cb2bd5c5a1f6c04f18f487bc6f488454aa2668777ab0d9e515cfdac74b78b
de0155180c337684426db0246ce969f3ac30caf43499f932fe45e0b7ad003628

standardbank.tunnelto.dev Open in urlscan Pro 2a09:8280:1:48de:ca2b:6d39:9790:f0da Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

5 Requests

100 %HTTPS

100 %IPv6

2 Domains

2 Subdomains

1 IPs

2 Countries

23 kBTransfer

63 kBSize

1 Cookies

0 Outgoing links

Page URL History

Redirected requests

5 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

0 JavaScript Global Variables

1 Cookies

Indicators

standardbank.tunnelto.dev Open in urlscan Pro
2a09:8280:1:48de:ca2b:6d39:9790:f0da Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

5
Requests

100 %
HTTPS

100 %
IPv6

2
Domains

2
Subdomains

1
IPs

2
Countries

23 kB
Transfer

63 kB
Size

1
Cookies

5 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!