urlscan.io logo urlscan.io
SecurityTrails logo

ip-148-72-208-220.ip.secureserver.net Open in urlscan Pro
148.72.208.220  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
Submitted URL: https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php
Effective URL: https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHS...
Submission: On February 12 via manual from GB
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 3 IPs in 1 countries across 3 domains to perform 14 HTTP transactions. The main IP is 148.72.208.220, located in Scottsdale, United States and belongs to AS-26496-GO-DADDY-COM-LLC, US. The main domain is ip-148-72-208-220.ip.secureserver.net.
TLS certificate: Issued by cPanel, Inc. Certification Authority on February 10th 2021. Valid for: a year.
This is the only time ip-148-72-208-220.ip.secureserver.net was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Royal Mail (Government)

Domain & IP information

IP Address AS Autonomous System
1 1 160.153.63.160 26496 (AS-26496-...)
7 148.72.208.220 26496 (AS-26496-...)
1 23.32.238.168 20940 (AKAMAI-ASN1)
14 3
Apex Domain
Subdomains		 Transfer
7 secureserver.net
ip-148-72-208-220.ip.secureserver.net
510 KB
1 royalmail.com
www.royalmail.com Failed
506 B
1 mahamanch.com
www.mahamanch.com
182 B
14 3
Domain Requested by
7 ip-148-72-208-220.ip.secureserver.net ip-148-72-208-220.ip.secureserver.net
1 www.royalmail.com ip-148-72-208-220.ip.secureserver.net
1 www.mahamanch.com 1 redirects
14 3

This site contains no links.

Subject Issuer Validity Valid
ip-148-72-208-220.ip.secureserver.net
cPanel, Inc. Certification Authority		 2021-02-10 -
2022-02-10		 a year crt.sh
*.royalmail.com
Entrust Certification Authority - L1K		 2020-09-25 -
2021-10-24		 a year crt.sh

This page contains 1 frames:

Primary Page: https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
Frame ID: E510F2F43003C657F2FCBEEDBD2C6059
Requests: 14 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page URL History Show full URLs

  1. https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php HTTP 302
    https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php Page URL
  2. https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKl... Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • url /\.php(?:$|\?)/i
Overall confidence: 100%
Detected patterns
  • headers server /(?:Apache(?:$|\/([\d.]+)|[^/-])|(?:^|\b)HTTPD)/i

Page Statistics

14
Requests

57 %
HTTPS

0 %
IPv6

3
Domains

3
Subdomains

3
IPs

1
Countries

511 kB
Transfer

508 kB
Size

1
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php HTTP 302
    https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php Page URL
  2. https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0
  • https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php HTTP 302
  • https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php

14 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Cookie set ininin.php
ip-148-72-208-220.ip.secureserver.net/hot/
Redirect Chain
  • https://www.mahamanch.com/ckeditor/plugins/iframe/images/placeholder/eai9bo01oeb851ae423.php
  • https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php
220 B
601 B 		Document
General
Check archive.org
Download Go to
Full URL
https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
148.72.208.220 Scottsdale, United States, ASN26496 (AS-26496-GO-DADDY-COM-LLC, US),
Reverse DNS
ip-148-72-208-220.ip.secureserver.net
Software
Apache /
Resource Hash
f11761c98076cffe2dd9e0c4891de5e5655aa6bab75c1df78ca7235fcf20c91a

Request headers

Host
ip-148-72-208-220.ip.secureserver.net
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site
none
Sec-Fetch-Mode
navigate
Sec-Fetch-User
?1
Sec-Fetch-Dest
document
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Date
Fri, 12 Feb 2021 17:24:55 GMT
Server
Apache
Expires
Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control
no-store, no-cache, must-revalidate
Pragma
no-cache
Set-Cookie
PHPSESSID=8483e70669d0b7571f12c91a366afbea; path=/
Keep-Alive
timeout=5, max=100
Connection
Keep-Alive
Transfer-Encoding
chunked
Content-Type
text/html; charset=UTF-8

Redirect headers

date
Fri, 12 Feb 2021 17:24:55 GMT
server
Apache
x-powered-by
PHP/5.6.40
location
https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php
cache-control
max-age=604800
expires
Fri, 19 Feb 2021 17:24:55 GMT
vary
User-Agent
content-length
0
content-type
text/html; charset=UTF-8
Primary Request rm.php
ip-148-72-208-220.ip.secureserver.net/hot/ 		12 KB
12 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
148.72.208.220 Scottsdale, United States, ASN26496 (AS-26496-GO-DADDY-COM-LLC, US),
Reverse DNS
ip-148-72-208-220.ip.secureserver.net
Software
Apache /
Resource Hash
b4d19d45a7e5e06d6800a0cf05059d4af6fe50366ee5f908c71648b348dc49ae

Request headers

Host
ip-148-72-208-220.ip.secureserver.net
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site
same-origin
Sec-Fetch-Mode
navigate
Sec-Fetch-Dest
document
Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US
Cookie
PHPSESSID=8483e70669d0b7571f12c91a366afbea
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/ininin.php

Response headers

Date
Fri, 12 Feb 2021 17:24:56 GMT
Server
Apache
Keep-Alive
timeout=5, max=99
Connection
Keep-Alive
Transfer-Encoding
chunked
Content-Type
text/html; charset=UTF-8
css_2kSODmeFaX7ybMB6AeohAt_hNxiz95dKI0JJ2-F4f_k.css
ip-148-72-208-220.ip.secureserver.net/hot/royal/ 		26 KB
26 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://ip-148-72-208-220.ip.secureserver.net/hot/royal/css_2kSODmeFaX7ybMB6AeohAt_hNxiz95dKI0JJ2-F4f_k.css
Requested by
Host: ip-148-72-208-220.ip.secureserver.net
URL: https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
148.72.208.220 Scottsdale, United States, ASN26496 (AS-26496-GO-DADDY-COM-LLC, US),
Reverse DNS
ip-148-72-208-220.ip.secureserver.net
Software
Apache /
Resource Hash
be2571bafaac0daa6fa2ad8f230c626af7795b2d5b1731bfd14f1cba363d888e

Request headers

Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Pragma
no-cache
Date
Fri, 12 Feb 2021 17:24:57 GMT
Last-Modified
Sun, 20 Dec 2020 14:20:10 GMT
Server
Apache
Content-Type
text/css
Cache-Control
no-cache, no-store, must-revalidate
Connection
Keep-Alive
Accept-Ranges
bytes
Keep-Alive
timeout=5, max=98
Content-Length
26581
Expires
0
css_w-rueMIDc5VsBMc9Q_W3R1vWBKMej67QaMzdxjOuGdE.css
ip-148-72-208-220.ip.secureserver.net/hot/royal/ 		445 KB
445 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://ip-148-72-208-220.ip.secureserver.net/hot/royal/css_w-rueMIDc5VsBMc9Q_W3R1vWBKMej67QaMzdxjOuGdE.css
Requested by
Host: ip-148-72-208-220.ip.secureserver.net
URL: https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
148.72.208.220 Scottsdale, United States, ASN26496 (AS-26496-GO-DADDY-COM-LLC, US),
Reverse DNS
ip-148-72-208-220.ip.secureserver.net
Software
Apache /
Resource Hash
5d24851d341c8c77ed098ba4b56638860dda6fa3fe0b4369fbf526045276ce8d

Request headers

Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Pragma
no-cache
Date
Fri, 12 Feb 2021 17:24:57 GMT
Last-Modified
Sun, 20 Dec 2020 14:20:12 GMT
Server
Apache
Content-Type
text/css
Cache-Control
no-cache, no-store, must-revalidate
Connection
Keep-Alive
Accept-Ranges
bytes
Keep-Alive
timeout=5, max=97
Content-Length
455309
Expires
0
modernizr.minacee.js
ip-148-72-208-220.ip.secureserver.net/hot/royal/ 		5 KB
5 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://ip-148-72-208-220.ip.secureserver.net/hot/royal/modernizr.minacee.js?v=3.3.1
Requested by
Host: ip-148-72-208-220.ip.secureserver.net
URL: https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
148.72.208.220 Scottsdale, United States, ASN26496 (AS-26496-GO-DADDY-COM-LLC, US),
Reverse DNS
ip-148-72-208-220.ip.secureserver.net
Software
Apache /
Resource Hash
1e06b3b8ed8d91022c8192923eb0d0a913596d088312b8bdc0c3b6dd2361627a

Request headers

Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Pragma
no-cache
Date
Fri, 12 Feb 2021 17:24:57 GMT
Last-Modified
Sun, 20 Dec 2020 14:20:16 GMT
Server
Apache
Content-Type
application/javascript
Cache-Control
no-cache, no-store, must-revalidate
Connection
Keep-Alive
Accept-Ranges
bytes
Keep-Alive
timeout=5, max=100
Content-Length
4680
Expires
0
logo.png
ip-148-72-208-220.ip.secureserver.net/hot/royal/ 		12 KB
13 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://ip-148-72-208-220.ip.secureserver.net/hot/royal/logo.png
Requested by
Host: ip-148-72-208-220.ip.secureserver.net
URL: https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
148.72.208.220 Scottsdale, United States, ASN26496 (AS-26496-GO-DADDY-COM-LLC, US),
Reverse DNS
ip-148-72-208-220.ip.secureserver.net
Software
Apache /
Resource Hash
344b29deab56ac203aa9d4c258a097020f4b207da082f1267e2b9a4280903c34

Request headers

Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/rm.php?action=confirm-delivery&trackID=puwQBFyZfrWKFaKcDnLBecCKkcPXmKpKlLzSSeekvqDNYTyDkojHSrjiOAU
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Pragma
no-cache
Date
Fri, 12 Feb 2021 17:24:57 GMT
Last-Modified
Sun, 20 Dec 2020 14:20:16 GMT
Server
Apache
Content-Type
image/png
Cache-Control
no-cache, no-store, must-revalidate
Connection
Keep-Alive
Accept-Ranges
bytes
Keep-Alive
timeout=5, max=99
Content-Length
12718
Expires
0
chevin-medium.woff
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-medium/ 		0
0
search-white.svg
www.royalmail.com/themes/custom/rmlcwr/icons_fill/ 		289 B
506 B 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://www.royalmail.com/themes/custom/rmlcwr/icons_fill/search-white.svg
Requested by
Host: ip-148-72-208-220.ip.secureserver.net
URL: https://ip-148-72-208-220.ip.secureserver.net/hot/royal/css_w-rueMIDc5VsBMc9Q_W3R1vWBKMej67QaMzdxjOuGdE.css
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
23.32.238.168 , United States, ASN20940 (AKAMAI-ASN1, NL),
Reverse DNS
a23-32-238-168.deploy.static.akamaitechnologies.com
Software
Akamai Resource Optimizer /
Resource Hash
51e0af0ef371a2295c8cf115b147bc14d729106bec94d4063463f15040720614
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN

Request headers

Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/royal/css_w-rueMIDc5VsBMc9Q_W3R1vWBKMej67QaMzdxjOuGdE.css
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

x-cache-rule
ZStaticMaxAge
content-encoding
br
x-content-type-options
nosniff
last-modified
Thu, 11 Feb 2021 07:20:12 GMT
server
Akamai Resource Optimizer
date
Fri, 12 Feb 2021 17:25:00 GMT
x-frame-options
SAMEORIGIN
content-type
image/svg+xml
cache-control
max-age=1209600
x-cache-info
caching
server-timing
cdn-cache; desc=HIT, edge; dur=1
accept-ranges
bytes
content-length
198
expires
Fri, 26 Feb 2021 17:25:00 GMT
rml-textured-background.png
ip-148-72-208-220.ip.secureserver.net/themes/custom/rmlcwr/textures/ 		8 KB
8 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://ip-148-72-208-220.ip.secureserver.net/themes/custom/rmlcwr/textures/rml-textured-background.png
Requested by
Host: ip-148-72-208-220.ip.secureserver.net
URL: https://ip-148-72-208-220.ip.secureserver.net/hot/royal/css_w-rueMIDc5VsBMc9Q_W3R1vWBKMej67QaMzdxjOuGdE.css
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
148.72.208.220 Scottsdale, United States, ASN26496 (AS-26496-GO-DADDY-COM-LLC, US),
Reverse DNS
ip-148-72-208-220.ip.secureserver.net
Software
Apache /
Resource Hash
4d7dbd47e9f1fe848206e59ae17847dfc50cf29f2a6dc4ab328f1d0dd59f5cc9

Request headers

Referer
https://ip-148-72-208-220.ip.secureserver.net/hot/royal/css_w-rueMIDc5VsBMc9Q_W3R1vWBKMej67QaMzdxjOuGdE.css
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Pragma
no-cache
Date
Fri, 12 Feb 2021 17:24:59 GMT
Server
Apache
Transfer-Encoding
chunked
Content-Type
text/html
Cache-Control
no-cache, no-store, must-revalidate
Connection
Keep-Alive
Accept-Ranges
bytes
Keep-Alive
timeout=5, max=96
Expires
0
pfdintextstd-bold-webfont.woff
www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/ 		0
0
chevin-bold.woff
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/ 		0
0
chevin-medium.ttf
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin-medium/ 		0
0
pfdintextstd-bold-webfont.ttf
www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/ 		0
0
chevin-bold.ttf
www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/ 		0
0

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain
www.royalmail.com
URL
https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-medium/chevin-medium.woff
Domain
www.royalmail.com
URL
https://www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/pfdintextstd-bold-webfont.woff
Domain
www.royalmail.com
URL
https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/chevin-bold.woff
Domain
www.royalmail.com
URL
https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin-medium/chevin-medium.ttf
Domain
www.royalmail.com
URL
https://www.royalmail.com/themes/custom/rmlcwr/fonts/pf-din-text-std/pf-din-text-std-bold/pfdintextstd-bold-webfont.ttf
Domain
www.royalmail.com
URL
https://www.royalmail.com/themes/custom/rmlcwr/fonts/chevin/chevin-bold/chevin-bold.ttf

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Royal Mail (Government)

10 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| ontransitionrun object| ontransitionstart object| ontransitioncancel object| cookieStore function| showDirectoryPicker function| showOpenFilePicker function| showSaveFilePicker object| trustedTypes boolean| crossOriginIsolated object| Modernizr

1 Cookies

Domain/Path Name / Value
ip-148-72-208-220.ip.secureserver.net/ Name: PHPSESSID
Value: 8483e70669d0b7571f12c91a366afbea