rebate-energybills.com

Summary

This website contacted 3 IPs in 2 countries across 3 domains to perform 6 HTTP transactions. The main IP is 176.53.160.8, located in Russian Federation and belongs to TIMEWEB-AS, RU. The main domain is rebate-energybills.com.

This is the only time rebate-energybills.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: UK Government (Government)

Domain & IP information

	IP Address	AS Autonomous System
1 3	176.53.160.8 176.53.160.8	9123 (TIMEWEB-AS) (TIMEWEB-AS)
2	2a04:4e42::144 2a04:4e42::144	54113 (FASTLY) (FASTLY)
2	2a04:4e42:200... 2a04:4e42:200::144	54113 (FASTLY) (FASTLY)
6	3

3 176.53.160.8 (Russian Federation) 1 redirects

ASN9123 (TIMEWEB-AS, RU)
PTR: 1007037-cl66231.tmweb.ru

rebate-energybills.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a04:4e42::144 (United States)

ASN54113 (FASTLY, US)

assets.publishing.service.gov.uk	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
www.gov.uk	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a04:4e42:200::144 (United States)

ASN54113 (FASTLY, US)

www.gov.uk	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
3	www.gov.uk www.gov.uk — Cisco Umbrella Rank: 31806	67 KB
3	rebate-energybills.com 1 redirects rebate-energybills.com	237 KB
1	service.gov.uk assets.publishing.service.gov.uk — Cisco Umbrella Rank: 89543	19 KB
6	3

	Domain	Requested by
3	www.gov.uk	rebate-energybills.com
3	rebate-energybills.com	1 redirects rebate-energybills.com
1	assets.publishing.service.gov.uk	rebate-energybills.com
6	3

This site contains links to these domains. Also see Links.

Domain
www.gov.uk
www.ofgem.gov.uk
costoflivingsupport.campaign.gov.uk
www.nationalarchives.gov.uk

Subject Issuer	Validity	Valid
www.gov.uk GlobalSign RSA OV SSL CA 2018	`2021-11-18` - `2022-12-20`	a year	crt.sh

This page contains 1 frames:

Primary Page: http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG
Frame ID: CF08BDA8D9AADFD1C8DD7B9ED551EBD1
Requests: 6 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Energy Bills Support Scheme explainer - GOV.UK

Page URL History Show full URLs

http://rebate-energybills.com/ HTTP 302
http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOw... Page URL

Detected technologies

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

\.php(?:$|\?)

GOV.UK Frontend (UI frameworks) Expand

Overall confidence: 80%
Detected patterns

<body[^>]+govuk-template__body
<a[^>]+govuk-link

Page Statistics

6
Requests

67 %
HTTPS

67 %
IPv6

3
Domains

3
Subdomains

3
IPs

2
Countries

323 kB
Transfer

321 kB
Size

1
Cookies

5 Outgoing links

These are links going to different origins than the main page.

URL: https://www.gov.uk/
Title: GOV.UK

Search URL Search Domain Scan URL

URL: https://www.ofgem.gov.uk/sites/default/files/docs/2005/10/11782-resaleupdateoct05_3.pdf
Title: how to ensure customers are being charged no more than they should when they buy the electricity through their landlord, including what to do if they think there has been a mistake

Search URL Search Domain Scan URL

URL: https://costoflivingsupport.campaign.gov.uk/
Title: Help for Households

Search URL Search Domain Scan URL

URL: https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/
Title: Open Government Licence v3.0

Search URL Search Domain Scan URL

URL: https://www.nationalarchives.gov.uk/information-management/re-using-public-sector-information/uk-government-licensing-framework/crown-copyright/
Title: © Crown copyright

Search URL Search Domain Scan URL

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

http://rebate-energybills.com/ HTTP 302
http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

6 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H/1.1

200
OK

Primary Request start.php Show response
rebate-energybills.com/
Redirect Chain

http://rebate-energybills.com/
http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG

104 KB
104 KB

193ms
145ms

Document
text/html

176.53.160.8
TIMEWEB-AS

General

Check archive.org

Show headers Download Go to

Full URL: http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG
Protocol: HTTP/1.1
Server: 176.53.160.8 , Russian Federation, ASN9123 (TIMEWEB-AS, RU),
Reverse DNS: 1007037-cl66231.tmweb.ru
Software: Apache /
Resource Hash: 7b4eaefdae1fd6e5ad3cfaf0c4c915175034aace1362b583fa8f06a3916bf029

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

Cache-Control: no-store, no-cache, must-revalidate
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Tue, 06 Sep 2022 11:26:09 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Transfer-Encoding: chunked

Redirect headers

Cache-Control: no-store, no-cache, must-revalidate
Connection: close
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Tue, 06 Sep 2022 11:26:08 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG
Pragma: no-cache
Server: Apache

GET
H/1.1 200
OK startstyle.css
rebate-energybills.com/css/ 133 KB
133 KB 199ms
150ms Stylesheet
text/css 176.53.160.8
TIMEWEB-AS

General

Check archive.org

Show headers Download Go to

Full URL: http://rebate-energybills.com/css/startstyle.css
Requested by: Host: rebate-energybills.com
URL: http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG
Protocol: HTTP/1.1
Server: 176.53.160.8 , Russian Federation, ASN9123 (TIMEWEB-AS, RU),
Reverse DNS: 1007037-cl66231.tmweb.ru
Software: Apache /
Resource Hash: 41cef09a75d359bbc0b3aa21fe168739ea8e53cf2dc35ed85320c31d43c432da

Request headers

accept-language: de-DE,de;q=0.9
Referer: http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36

Response headers

Date: Tue, 06 Sep 2022 11:26:09 GMT
Last-Modified: Fri, 02 Sep 2022 12:28:20 GMT
Server: Apache
Connection: close
Accept-Ranges: bytes
Content-Length: 135949
Content-Type: text/css

GET
H2 200 s300_energy-bills.png
assets.publishing.service.gov.uk/government/uploads/system/uploads/image_data/file/158488/ 18 KB
19 KB 81ms
20ms Image
image/png 2a04:4e42::144
FASTLY

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/image_data/file/158488/s300_energy-bills.png

Requested by

Host: rebate-energybills.com
URL: http://rebate-energybills.com/start.php?ZDNbQBOHMJU&inID=TeWbaMRjavJtohugxFArbWFAKqttkcyTrSMZjvBOrtCkQgjOwQDGG

Protocol

H2

Security

TLS 1.3, , AES_128_GCM

Server

2a04:4e42::144 , United States, ASN54113 (FASTLY, US),

Reverse DNS

Software

nginx /

Resource Hash

e264909d5b52e62eface8518df0ccddf99e21922a2e6316bffe0d38340e590d9

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; preload
X-Frame-Options	DENY

Request headers

accept-language: de-DE,de;q=0.9
Referer: http://rebate-energybills.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload
via: 1.1 varnish
etag: "62e3fec4-48f4"
age: 136
x-cache: HIT
content-disposition: inline; filename="s300_energy-bills.png"
content-length: 18676
x-served-by: cache-hhn4070-HHN
last-modified: Fri, 29 Jul 2022 15:37:40 GMT
server: nginx
fastly-backend-name: awsorigin
date: Tue, 06 Sep 2022 11:26:09 GMT
x-frame-options: DENY
access-control-allow-methods: GET, OPTIONS
content-type: image/png
access-control-allow-origin: *
cache-control: max-age=1800, public
accept-ranges: bytes
x-timer: S1662463569.380607,VS0,VE1
access-control-allow-headers: origin, authorization
x-cache-hits: 1

GET
H2 200 govuk-crest-87038e62e594b5f83ea40e0fb480fe7a5f41ba0db3917f709dfb39043f19a0f7.png
www.gov.uk/assets/static/ 4 KB
4 KB 66ms
21ms Image
image/png 2a04:4e42::144
FASTLY

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.gov.uk/assets/static/govuk-crest-87038e62e594b5f83ea40e0fb480fe7a5f41ba0db3917f709dfb39043f19a0f7.png

Requested by

Host: rebate-energybills.com
URL: http://rebate-energybills.com/css/startstyle.css

Protocol

H2

Security

TLS 1.3, , AES_128_GCM

Server

2a04:4e42::144 , United States, ASN54113 (FASTLY, US),

Reverse DNS

Software

nginx /

Resource Hash

bb9e22aff7881b895c2ceb41d9340804451c474b883f09fe1b4026e76456f44b

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; preload

Request headers

accept-language: de-DE,de;q=0.9
Referer: http://rebate-energybills.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload
via: 1.1 varnish
etag: "624ac7a1-e00"
age: 554338
x-cache: HIT
x-cache-hits: 940
content-length: 3584
x-served-by: cache-hhn4070-HHN
last-modified: Mon, 04 Apr 2022 10:25:37 GMT
server: nginx
fastly-backend-name: origin
date: Tue, 06 Sep 2022 11:26:09 GMT
content-type: image/png
cache-control: max-age=315360000, public, immutable
accept-ranges: bytes
x-timer: S1662463570.653557,VS0,VE0
expires: Thu, 31 Dec 2037 23:55:55 GMT

GET
H2 200 bold-b542beb274-v2-35bf540bb39615b6a517986f3aa83f7fefa1efd1878603eeeb196488078542d1.woff2
www.gov.uk/assets/frontend/ 31 KB
31 KB 112ms
21ms Font
font/woff2 2a04:4e42:200::144
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL

https://www.gov.uk/assets/frontend/bold-b542beb274-v2-35bf540bb39615b6a517986f3aa83f7fefa1efd1878603eeeb196488078542d1.woff2

Requested by

Host: rebate-energybills.com
URL: http://rebate-energybills.com/css/startstyle.css

Protocol

H2

Security

TLS 1.3, , AES_128_GCM

Server

2a04:4e42:200::144 , United States, ASN54113 (FASTLY, US),

Reverse DNS

Software

nginx /

Resource Hash

06eba01b1af0f4014b484c711771fef1db30becbf0edf481498da1e4958d3d47

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; preload

Request headers

Referer: http://rebate-energybills.com/
Origin: http://rebate-energybills.com
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload
via: 1.1 varnish
etag: "6242d666-7af8"
age: 2443105
x-cache: HIT
content-length: 31480
x-served-by: cache-hhn4029-HHN
last-modified: Tue, 29 Mar 2022 09:50:30 GMT
server: nginx
fastly-backend-name: origin
date: Tue, 06 Sep 2022 11:26:09 GMT
access-control-allow-methods: GET, OPTIONS
content-type: font/woff2
access-control-allow-origin: *
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
accept-ranges: bytes
x-timer: S1662463570.700513,VS0,VE1
access-control-allow-headers: origin, authorization
x-cache-hits: 1

GET
H2 200 light-94a07e06a1-v2-01565b0034e61d4609689bbb7ae0be844701f3812c8fe029fa1659b7ef3aa94f.woff2
www.gov.uk/assets/frontend/ 33 KB
33 KB 124ms
32ms Font
font/woff2 2a04:4e42:200::144
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL

https://www.gov.uk/assets/frontend/light-94a07e06a1-v2-01565b0034e61d4609689bbb7ae0be844701f3812c8fe029fa1659b7ef3aa94f.woff2

Requested by

Host: rebate-energybills.com
URL: http://rebate-energybills.com/css/startstyle.css

Protocol

H2

Security

TLS 1.3, , AES_128_GCM

Server

2a04:4e42:200::144 , United States, ASN54113 (FASTLY, US),

Reverse DNS

Software

nginx /

Resource Hash

eedfb3c2f7945caebd0b15522b59d6c7f01be17fecd6102fd76452ad4042f7b0

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; preload

Request headers

Referer: http://rebate-energybills.com/
Origin: http://rebate-energybills.com
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload
via: 1.1 varnish
etag: "6242d665-8266"
age: 538031
x-cache: HIT
content-length: 33382
x-served-by: cache-hhn4029-HHN
last-modified: Tue, 29 Mar 2022 09:50:29 GMT
server: nginx
fastly-backend-name: origin
date: Tue, 06 Sep 2022 11:26:09 GMT
access-control-allow-methods: GET, OPTIONS
content-type: font/woff2
access-control-allow-origin: *
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
accept-ranges: bytes
x-timer: S1662463570.700529,VS0,VE15
access-control-allow-headers: origin, authorization
x-cache-hits: 1

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: UK Government (Government)

7 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			rebate-energybills.com/	1969-12-31 23:59:59	Name: PHPSESSID Value: e2ad35ab0738d45a3caf23eab69aeea6

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

assets.publishing.service.gov.uk
rebate-energybills.com
www.gov.uk
176.53.160.8
2a04:4e42:200::144
2a04:4e42::144
06eba01b1af0f4014b484c711771fef1db30becbf0edf481498da1e4958d3d47
41cef09a75d359bbc0b3aa21fe168739ea8e53cf2dc35ed85320c31d43c432da
7b4eaefdae1fd6e5ad3cfaf0c4c915175034aace1362b583fa8f06a3916bf029
bb9e22aff7881b895c2ceb41d9340804451c474b883f09fe1b4026e76456f44b
e264909d5b52e62eface8518df0ccddf99e21922a2e6316bffe0d38340e590d9
eedfb3c2f7945caebd0b15522b59d6c7f01be17fecd6102fd76452ad4042f7b0

rebate-energybills.com Open in urlscan Pro 176.53.160.8 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

6 Requests

67 %HTTPS

67 %IPv6

3 Domains

3 Subdomains

3 IPs

2 Countries

323 kBTransfer

321 kBSize

1 Cookies

5 Outgoing links

Page URL History

Redirected requests

6 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

7 JavaScript Global Variables

1 Cookies

Indicators

rebate-energybills.com Open in urlscan Pro
176.53.160.8 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

6
Requests

67 %
HTTPS

67 %
IPv6

3
Domains

3
Subdomains

3
IPs

2
Countries

323 kB
Transfer

321 kB
Size

1
Cookies

6 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!