booking.deal1941.bid Open in urlscan Pro
2606:4700:3035::ac43:9bcb Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

URL:
https://booking.deal1941.bid/secure-checkout/34514263
Submission: On December 01 via manual (December 1st 2023, 9:32:01 pm UTC) from US — Scanned from DE

Summary HTTP 8 Redirects Behaviour Indicators

Summary

This website contacted 3 IPs in 1 countries across 2 domains to perform 8 HTTP transactions. The main IP is 2606:4700:3035::ac43:9bcb, located in United States and belongs to CLOUDFLARENET, US. The main domain is booking.deal1941.bid.
TLS certificate: Issued by E1 on November 27th 2023. Valid for: 3 months.

This is the only time booking.deal1941.bid was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Booking (Travel)

Domain & IP information

	IP Address	AS Autonomous System
6	2606:4700:303... 2606:4700:3035::ac43:9bcb	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2600:9000:212... 2600:9000:2127:e000:5:bf05:acc0:93a1	16509 (AMAZON-02) (AMAZON-02)
8	3

6 2606:4700:3035::ac43:9bcb (United States)

ASN13335 (CLOUDFLARENET, US)

booking.deal1941.bid	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2600:9000:2127:e000:5:bf05:acc0:93a1 (United States)

ASN16509 (AMAZON-02, US)

cf.bstatic.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
6	deal1941.bid booking.deal1941.bid	57 KB
1	bstatic.com cf.bstatic.com — Cisco Umbrella Rank: 16074	30 KB
8	2

	Domain	Requested by
6	booking.deal1941.bid	booking.deal1941.bid
1	cf.bstatic.com	booking.deal1941.bid
8	2

This site contains no links.

Subject Issuer	Validity	Valid
deal1941.bid E1	`2023-11-27` - `2024-02-25`	3 months	crt.sh
*.bstatic.com DigiCert Global G2 TLS RSA SHA256 2020 CA1	`2023-09-13` - `2024-08-31`	a year	crt.sh

This page contains 2 frames:

Primary Page: https://booking.deal1941.bid/secure-checkout/34514263
Frame ID: 4DE91F366962CD16EC24FB0799469E99
Requests: 7 HTTP requests in this frame

Frame: https://booking.deal1941.bid/supportChatFrame/34514263
Frame ID: ECC8A66AA0C2A12B98F73AF604BE2363
Requests: 1 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Booking.com - Payment information

Page Statistics

8
Requests

88 %
HTTPS

100 %
IPv6

2
Domains

2
Subdomains

3
IPs

1
Countries

87 kB
Transfer

166 kB
Size

1
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

8 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2 200 Primary Request 34514263 Show response
booking.deal1941.bid/secure-checkout/ 57 KB
14 KB 285ms
245ms Document
text/html 2606:4700:3035::ac43:9bcb
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://booking.deal1941.bid/secure-checkout/34514263
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:3035::ac43:9bcb , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare / Express
Resource Hash: 403717e6f897ea1863084ece8ade956cee701070615931ac40e43d171ab873f7

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

alt-svc: h3=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 82ee709b5e7dbb86-FRA
content-encoding: br
content-type: text/html; charset=utf-8
date: Fri, 01 Dec 2023 21:31:56 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iqKV7igYkDbz9LSPUERETnAZQBZZJHXlrHOgpVVHKajNJGLQz7%2F4fQ7kbNxM2xmUHLSr0avdZmCYre%2BprraAO2i8INaECBRe3cbk4dP5AW%2B1wJEU4Isn%2FINcjiHb9mAQyJsxJqyJJzn%2B3f4lm1DqoqRLdQ%3D%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare
x-powered-by: Express

GET
H2 200 script.js Show response
booking.deal1941.bid/services/booking/js/ 12 KB
3 KB 108ms
107ms Script
application/javascript 2606:4700:3035::ac43:9bcb
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://booking.deal1941.bid/services/booking/js/script.js
Requested by: Host: booking.deal1941.bid
URL: https://booking.deal1941.bid/secure-checkout/34514263
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:3035::ac43:9bcb , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare / Express
Resource Hash: 7af96b589c08faa9b3014d28497abd0b8e428307b8ec4b93f58977e9fd62905b

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://booking.deal1941.bid/secure-checkout/34514263
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36

Response headers

date: Fri, 01 Dec 2023 21:31:56 GMT
content-encoding: br
cf-cache-status: EXPIRED
last-modified: Sat, 19 Aug 2023 22:18:41 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
x-powered-by: Express
etag: W/"2fa7-18a0fe109e8"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f7sZLa6j%2BfMcGjP%2FyWNDprtPJJWkVTZyx4fAQXQIME7iLuRZAZDSOzFPi4Y7jQKh4T41VpdNwNjs4ZqWv0p%2FrrX8QDxGgA3Ldw8oQDn%2BlSnSTzBJCFflBkeg6g%2FdFIGPxvYnkDOySppK3BiN9xkMiJb9bA%3D%3D"}],"group":"cf-nel","max_age":604800}
content-type: application/javascript; charset=UTF-8
cache-control: public, max-age=14400
cf-ray: 82ee709ce857bb86-FRA
alt-svc: h3=":443"; ma=86400

GET
H2 200 styles.css
booking.deal1941.bid/services/booking/css/ 32 KB
8 KB 135ms
134ms Stylesheet
text/css 2606:4700:3035::ac43:9bcb
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://booking.deal1941.bid/services/booking/css/styles.css
Requested by: Host: booking.deal1941.bid
URL: https://booking.deal1941.bid/secure-checkout/34514263
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:3035::ac43:9bcb , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare / Express
Resource Hash: b2e3158656f24d0f69988896ea2facd530904745d286f84eadb67ceb2ce9d4c2

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://booking.deal1941.bid/secure-checkout/34514263
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36

Response headers

date: Fri, 01 Dec 2023 21:31:56 GMT
content-encoding: br
cf-cache-status: EXPIRED
last-modified: Sat, 19 Aug 2023 22:18:27 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
x-powered-by: Express
etag: W/"802a-18a0fe0d338"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QkW9EGoVdRK1NqsOHxlDVl39ZL5dDMyY8RFtil4tJh3GvLiZqiLge5ls3EUg4ZRVT5NY2QDCAhjuE5SpIUNhcfpT0PN17iMzFYu9cxj9hrWLPCLMM8rZ7lFtnZ8A%2BUleEIEcBBTnLlFvD3ljQttPJmUCrw%3D%3D"}],"group":"cf-nel","max_age":604800}
content-type: text/css; charset=UTF-8
cache-control: public, max-age=14400
cf-ray: 82ee709ce856bb86-FRA
alt-svc: h3=":443"; ma=86400

GET
H2 200 417683578.jpg
cf.bstatic.com/xdata/images/hotel/max500/ 30 KB
30 KB 124ms
39ms Image
image/jpeg 2600:9000:2127:e000:5:bf05:acc0:93a1
AMAZON-02

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://cf.bstatic.com/xdata/images/hotel/max500/417683578.jpg?k=89504581220f39efad544f1db012e34bc19441b678ed950b5e29fbe05c69d825&o=&hp=1

Requested by

Host: booking.deal1941.bid
URL: https://booking.deal1941.bid/secure-checkout/34514263

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2600:9000:2127:e000:5:bf05:acc0:93a1 , United States, ASN16509 (AMAZON-02, US),

Reverse DNS

Software

nginx /

Resource Hash

7f6bbb1ac24b9f79dcf2c1b0ee651cb117eaffe5726f07400258949408e9a997

Security Headers

Name	Value
X-Xss-Protection	1; mode=block

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://booking.deal1941.bid/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36

Response headers

date: Tue, 28 Nov 2023 10:44:32 GMT
via: 1.1 db66f1cc00a415c34c42ad011b26850c.cloudfront.net (CloudFront)
server: nginx
x-amz-cf-pop: PRG50-C1
age: 298044
etag: "8e697e624b89a0a05829f43bbc946685c4999e54"
x-cache: Hit from cloudfront
content-language: 30525
access-control-allow-origin: *
content-type: image/jpeg
cache-control: max-age=2592000
timing-allow-origin: *
x-amz-cf-id: b-J5hA02y5O6dVt3c7LENi4dEmBczDR68S1t8IciCW0UM2q3Cfb6wQ==
x-xss-protection: 1; mode=block

GET
H2 200 support_parent.css
booking.deal1941.bid/css/ 5 KB
1 KB 1112ms
1112ms Stylesheet
text/css 2606:4700:3035::ac43:9bcb
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://booking.deal1941.bid/css/support_parent.css
Requested by: Host: booking.deal1941.bid
URL: https://booking.deal1941.bid/secure-checkout/34514263
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:3035::ac43:9bcb , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare / Express
Resource Hash: 20f5cc0ebb84eb9bdeb82a9b908e9f922ab10ea415857c8b00b8302e00c61a5c

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://booking.deal1941.bid/secure-checkout/34514263
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36

Response headers

date: Fri, 01 Dec 2023 21:31:57 GMT
content-encoding: br
cf-cache-status: EXPIRED
last-modified: Wed, 23 Aug 2023 14:42:51 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
x-powered-by: Express
etag: W/"12b3-18a22d925f8"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BroVl%2BVtKVe4JWLQoN6k04OS6xqjiIbgs1X3bNrOw%2B1LvuYTe5AnwHaVSveDK5%2FudHp5Uq1QEahgMkby81yx%2BdKv1ysT5IN6aRKs9DfK3MCAM4QZdk5%2BccXHESp1g5G%2B%2FFepVwIZS0csSLQAAAeTH1qc%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800}
content-type: text/css; charset=UTF-8
cache-control: public, max-age=14400
cf-ray: 82ee709d0877bb86-FRA
alt-svc: h3=":443"; ma=86400

GET
H3 200 flags.png
booking.deal1941.bid/services/booking/images/ 30 KB
30 KB 117ms
117ms Image
image/png 2606:4700:3035::ac43:9bcb
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://booking.deal1941.bid/services/booking/images/flags.png
Requested by: Host: booking.deal1941.bid
URL: https://booking.deal1941.bid/secure-checkout/34514263
Protocol: H3
Security: QUIC, , AES_128_GCM
Server: 2606:4700:3035::ac43:9bcb , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare / Express
Resource Hash: fc78e1550450ab81964ef660b05cb14fb17e0b895b261925ad7e6e073502dfc4

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://booking.deal1941.bid/secure-checkout/34514263
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36

Response headers

date: Fri, 01 Dec 2023 21:31:56 GMT
cf-cache-status: EXPIRED
last-modified: Sat, 19 Aug 2023 22:18:33 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
x-powered-by: Express
etag: W/"77d8-18a0fe0eaa8"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5GlTymMksTnsUMd2lDA3%2FfexidZaQ3QemQO930JdDxexGRjmv0WPST88fUYFo26AyNGeqvjkpcD1kAnl3UaZxNvF1iyrQDX%2B85yPuF04sWw8Y8M%2FnFUfiuHlnFhuRVOskhCPoi1KVyU%2F9RjWoJP2TeAVCg%3D%3D"}],"group":"cf-nel","max_age":604800}
content-type: image/png
cache-control: public, max-age=14400
accept-ranges: bytes
cf-ray: 82ee709dcf55f0ec-CDG
alt-svc: h3=":443"; ma=86400
content-length: 30680

GET 34514263
booking.deal1941.bid/supportChatFrame/ Frame ECC8 0
0

GET
H3 200 pluxurydarklord.svg
booking.deal1941.bid/img/ 1 KB
1 KB 89ms
88ms Image
image/svg+xml 2606:4700:3035::ac43:9bcb
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://booking.deal1941.bid/img/pluxurydarklord.svg
Requested by: Host: booking.deal1941.bid
URL: https://booking.deal1941.bid/css/support_parent.css
Protocol: H3
Security: QUIC, , AES_128_GCM
Server: 2606:4700:3035::ac43:9bcb , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare / Express
Resource Hash: fbb307bc48c763f9a4893ba918ca9a322f4e084dbb994504d526af90c1a4d1e9

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://booking.deal1941.bid/css/support_parent.css
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36

Response headers

date: Fri, 01 Dec 2023 21:31:57 GMT
content-encoding: br
cf-cache-status: EXPIRED
last-modified: Wed, 23 Aug 2023 14:41:00 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
x-powered-by: Express
etag: W/"4b6-18a22d77460"
vary: Accept-Encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jytMeNPu8y%2FASOP8aZJFSqn9TFyYTnDj88nlMGOvLtnw28WCHZDffSszKE0EFkXa%2BbPLGZoU2hMNmQCg4E7CVD3Pf3YezpR6qS5OTjJ00jGJcktZyBRLa6C6C%2BOJGV2d0r8tEr0ck8J%2BOcZFDboy0G8rzQ%3D%3D"}],"group":"cf-nel","max_age":604800}
content-type: image/svg+xml
cache-control: public, max-age=14400
cf-ray: 82ee70a40e81f0ec-CDG
alt-svc: h3=":443"; ma=86400

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain: booking.deal1941.bid
URL: https://booking.deal1941.bid/supportChatFrame/34514263

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Booking (Travel)

2 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| 0 object| documentPictureInPicture

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			booking.deal1941.bid/	1970-01-20 16:39:12	Name: connect.sid Value: s%3A56rkpY9-6uqJFd-b0mI8La6fkDGD0oGK.chGogLhEhxDKojo0sPDVWMVtu2g9j8NSwB0fl5Hcfrs

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

booking.deal1941.bid
cf.bstatic.com
booking.deal1941.bid
2600:9000:2127:e000:5:bf05:acc0:93a1
2606:4700:3035::ac43:9bcb
20f5cc0ebb84eb9bdeb82a9b908e9f922ab10ea415857c8b00b8302e00c61a5c
403717e6f897ea1863084ece8ade956cee701070615931ac40e43d171ab873f7
7af96b589c08faa9b3014d28497abd0b8e428307b8ec4b93f58977e9fd62905b
7f6bbb1ac24b9f79dcf2c1b0ee651cb117eaffe5726f07400258949408e9a997
b2e3158656f24d0f69988896ea2facd530904745d286f84eadb67ceb2ce9d4c2
fbb307bc48c763f9a4893ba918ca9a322f4e084dbb994504d526af90c1a4d1e9
fc78e1550450ab81964ef660b05cb14fb17e0b895b261925ad7e6e073502dfc4

booking.deal1941.bid Open in urlscan Pro 2606:4700:3035::ac43:9bcb Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page Statistics

8 Requests

88 %HTTPS

100 %IPv6

2 Domains

2 Subdomains

3 IPs

1 Countries

87 kBTransfer

166 kBSize

1 Cookies

0 Outgoing links

Redirected requests

8 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Failed requests

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

2 JavaScript Global Variables

1 Cookies

Indicators

booking.deal1941.bid Open in urlscan Pro
2606:4700:3035::ac43:9bcb Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

8
Requests

88 %
HTTPS

100 %
IPv6

2
Domains

2
Subdomains

3
IPs

1
Countries

87 kB
Transfer

166 kB
Size

1
Cookies

8 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!