ip-148-72-208-220.ip.secureserver.net
Open in
urlscan Pro
148.72.208.220
Malicious Activity!
Public Scan
Effective URL: https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHS...
Submission: On February 12 via manual from GB
Summary
TLS certificate: Issued by cPanel, Inc. Certification Authority on February 10th 2021. Valid for: a year.
This is the only time ip-148-72-208-220.ip.secureserver.net was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Royal Mail (Government)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 1 | 160.153.63.160 160.153.63.160 | 26496 (AS-26496-...) (AS-26496-GO-DADDY-COM-LLC) | |
7 | 148.72.208.220 148.72.208.220 | 26496 (AS-26496-...) (AS-26496-GO-DADDY-COM-LLC) | |
1 | 23.32.238.168 23.32.238.168 | 20940 (AKAMAI-ASN1) (AKAMAI-ASN1) | |
14 | 3 |
ASN26496 (AS-26496-GO-DADDY-COM-LLC, US)
PTR: ip-160-153-63-160.ip.secureserver.net
www.mahamanch.com |
ASN26496 (AS-26496-GO-DADDY-COM-LLC, US)
PTR: ip-148-72-208-220.ip.secureserver.net
ip-148-72-208-220.ip.secureserver.net |
ASN20940 (AKAMAI-ASN1, NL)
PTR: a23-32-238-168.deploy.static.akamaitechnologies.com
www.royalmail.com |
Apex Domain Subdomains |
Transfer | |
---|---|---|
7 |
secureserver.net
ip-148-72-208-220.ip.secureserver.net |
510 KB |
1 |
royalmail.com
www.royalmail.com Failed |
506 B |
1 |
mahamanch.com
1 redirects
www.mahamanch.com |
182 B |
14 | 3 |
Domain | Requested by | |
---|---|---|
7 | ip-148-72-208-220.ip.secureserver.net |
ip-148-72-208-220.ip.secureserver.net
|
1 | www.royalmail.com |
ip-148-72-208-220.ip.secureserver.net
|
1 | www.mahamanch.com | 1 redirects |
14 | 3 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
ip-148-72-208-220.ip.secureserver.net cPanel, Inc. Certification Authority |
2021-02-10 - 2022-02-10 |
a year | crt.sh |
*.royalmail.com Entrust Certification Authority - L1K |
2020-09-25 - 2021-10-24 |
a year | crt.sh |
This page contains 1 frames:
Primary Page:
https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
Frame ID: E510F2F43003C657F2FCBEEDBD2C6059
Requests: 14 HTTP requests in this frame
Screenshot
Page URL History Show full URLs
-
https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php
HTTP 302
https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php Page URL
- https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKl... Page URL
Detected technologies
PHP (Programming Languages) ExpandDetected patterns
- url /\.php(?:$|\?)/i
Apache (Web Servers) Expand
Detected patterns
- headers server /(?:Apache(?:$|\/([\d.]+)|[^/-])|(?:^|\b)HTTPD)/i
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php
HTTP 302
https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php Page URL
- https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
Request Chain 0- https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php HTTP 302
- https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php
14 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H/1.1 |
Cookie set
ininin.php
ip-148-72-208-220.ip.secureserver.net/hot/ Redirect Chain
|
220 B 601 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
Primary Request
rm.php
ip-148-72-208-220.ip.secureserver.net/hot/ |
12 KB 12 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
css_2kSODmeFaX7ybMB6AeohAt_hNxiz95dKI0JJ2-F4f_k.css
ip-148-72-208-220.ip.secureserver.net/hot/royal/ |
26 KB 26 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
css_w-rueMIDc5VsBMc9Q_W3R1vWBKMej67QaMzdxjOuGdE.css
ip-148-72-208-220.ip.secureserver.net/hot/royal/ |
445 KB 445 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
modernizr.minacee.js
ip-148-72-208-220.ip.secureserver.net/hot/royal/ |
5 KB 5 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
logo.png
ip-148-72-208-220.ip.secureserver.net/hot/royal/ |
12 KB 13 KB |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
chevin-medium.woff
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-medium/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
search-white.svg
www.royalmail.com/themes/custom/rmlcwr/icons_fill/ |
289 B 506 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H/1.1 |
rml-textured-background.png
ip-148-72-208-220.ip.secureserver.net/themes/custom/rmlcwr/textures/ |
8 KB 8 KB |
Image
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
pfdintextstd-bold-webfont.woff
www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
chevin-bold.woff
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
chevin-medium.ttf
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin-medium/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
pfdintextstd-bold-webfont.ttf
www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
GET |
chevin-bold.ttf
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/ |
0 0 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
Failed requests
These URLs were requested, but there was no response received. You will also see them in the list above.
- Domain
- www.royalmail.com
- URL
- https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-medium/chevin-medium.woff
- Domain
- www.royalmail.com
- URL
- https://www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/pfdintextstd-bold-webfont.woff
- Domain
- www.royalmail.com
- URL
- https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/chevin-bold.woff
- Domain
- www.royalmail.com
- URL
- https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin-medium/chevin-medium.ttf
- Domain
- www.royalmail.com
- URL
- https://www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/pfdintextstd-bold-webfont.ttf
- Domain
- www.royalmail.com
- URL
- https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/chevin-bold.ttf
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Royal Mail (Government)10 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| ontransitionrun object| ontransitionstart object| ontransitioncancel object| cookieStore function| showDirectoryPicker function| showOpenFilePicker function| showSaveFilePicker object| trustedTypes boolean| crossOriginIsolated object| Modernizr1 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
ip-148-72-208-220.ip.secureserver.net/ | Name: PHPSESSID Value: 8483e70669d0b7571f12c91a366afbea |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
ip-148-72-208-220.ip.secureserver.net
www.mahamanch.com
www.royalmail.com
www.royalmail.com
148.72.208.220
160.153.63.160
23.32.238.168
1e06b3b8ed8d91022c8192923eb0d0a913596d088312b8bdc0c3b6dd2361627a
344b29deab56ac203aa9d4c258a097020f4b207da082f1267e2b9a4280903c34
4d7dbd47e9f1fe848206e59ae17847dfc50cf29f2a6dc4ab328f1d0dd59f5cc9
51e0af0ef371a2295c8cf115b147bc14d729106bec94d4063463f15040720614
5d24851d341c8c77ed098ba4b56638860dda6fa3fe0b4369fbf526045276ce8d
b4d19d45a7e5e06d6800a0cf05059d4af6fe50366ee5f908c71648b348dc49ae
be2571bafaac0daa6fa2ad8f230c626af7795b2d5b1731bfd14f1cba363d888e
f11761c98076cffe2dd9e0c4891de5e5655aa6bab75c1df78ca7235fcf20c91a