py.pl - urlscan.io

Summary

This website contacted 3 IPs in 3 countries across 3 domains to perform 7 HTTP transactions. The main IP is 66.211.169.14, located in United States and belongs to PAYPAL, US. The main domain is py.pl.
TLS certificate: Issued by DigiCert SHA2 Extended Validation Ser... on March 5th 2019. Valid for: 2 years.

This is the only time py.pl was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: PayPal (Financial)

Domain & IP information

	IP Address	AS Autonomous System
1	66.211.169.14 66.211.169.14	17012 (PAYPAL) (PAYPAL)
5	151.101.14.133 151.101.14.133	54113 (FASTLY) (FASTLY)
1	23.32.242.197 23.32.242.197	20940 (AKAMAI-ASN1) (AKAMAI-ASN1)
7	3

1 66.211.169.14 (United States)

ASN17012 (PAYPAL, US)
PTR: py.pl

py.pl	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

5 151.101.14.133 (Frankfurt am Main, Germany)

ASN54113 (FASTLY, US)

www.paypalobjects.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 23.32.242.197 (Netherlands)

ASN20940 (AKAMAI-ASN1, US)
PTR: a23-32-242-197.deploy.static.akamaitechnologies.com

www.paypal.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	paypalobjects.com www.paypalobjects.com	46 KB
1	paypal.com www.paypal.com
1	py.pl py.pl	4 KB
7	3

	Domain	Requested by
5	www.paypalobjects.com	py.pl www.paypalobjects.com
1	www.paypal.com	py.pl
1	py.pl
7	3

This site contains links to these domains. Also see Links.

Domain
cms.paypal.com

Subject Issuer	Validity	Valid
py.pl DigiCert SHA2 Extended Validation Server CA	`2019-03-05` - `2021-04-22`	2 years	crt.sh
www.paypalobjects.com DigiCert SHA2 Extended Validation Server CA	`2019-12-09` - `2021-12-13`	2 years	crt.sh
www.paypal.com DigiCert SHA2 Extended Validation Server CA	`2020-01-09` - `2022-01-12`	2 years	crt.sh

This page contains 1 frames:

Primary Page: https://py.pl/auth/validatecaptcha
Frame ID: 006C12EBC4DC96EEB33D0ECC80A64DD9
Requests: 7 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Detected technologies

PayPal (Payment Processors) Expand

Overall confidence: 100%
Detected patterns

script /paypalobjects\.com\/js/i

RequireJS (JavaScript Frameworks) Expand

Overall confidence: 100%
Detected patterns

script /require.*\.js/i

Page Statistics

7
Requests

100 %
HTTPS

0 %
IPv6

3
Domains

3
Subdomains

3
IPs

3
Countries

49 kB
Transfer

121 kB
Size

1
Cookies

2 Outgoing links

These are links going to different origins than the main page.

URL: https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&fli=true&content_ID=ua/Privacy_full&locale.x=en-US
Title: Privacy

Search URL Search Domain Scan URL

URL: https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&fli=true&content_ID=ua/upcoming_policies_full&locale.x=en_US
Title: Policy updates

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

7 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H/1.1 404
Not Found Primary Request Cookie set validatecaptcha Show response
py.pl/auth/ 4 KB
4 KB 1505ms
330ms Document
text/html 66.211.169.14
PAYPAL

General

Check archive.org

Show headers Download Go to

Full URL

https://py.pl/auth/validatecaptcha

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

66.211.169.14 , United States, ASN17012 (PAYPAL, US),

Reverse DNS

py.pl

Software

/

Resource Hash

1343e73b8e0064a59dcc35ec16bf91daef697c7598648c1f0021e41ca4629288

Security Headers

Name	Value
Content-Security-Policy	default-src 'self' https://.paypal.com https://.paypalobjects.com; script-src 'nonce-cu5hHI/mBWyB2xql4PflGIfMMSNu4BwE+V39wyUCN6RZ+ZgF' 'self' https://.paypal.com https://.paypalobjects.com 'unsafe-inline'; img-src 'self' https:; font-src 'self' https://.paypalobjects.com https://.paypal.com; form-action 'self' https://.paypal.com; base-uri 'self' https://.paypal.com; object-src 'none'; block-all-mixed-content; report-uri https://www.paypal.com/csplog/api/log/csp
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Host: py.pl
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Dest: document

Response headers

Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' https://*.paypal.com https://*.paypalobjects.com; script-src 'nonce-cu5hHI/mBWyB2xql4PflGIfMMSNu4BwE+V39wyUCN6RZ+ZgF' 'self' https://*.paypal.com https://*.paypalobjects.com 'unsafe-inline'; img-src 'self' https:; font-src 'self' https://*.paypalobjects.com https://*.paypal.com; form-action 'self' https://*.paypal.com; base-uri 'self' https://*.paypal.com; object-src 'none'; block-all-mixed-content; report-uri https://www.paypal.com/csplog/api/log/csp
Content-Type: text/html; charset=utf-8
Date: Tue, 18 Feb 2020 21:53:10 GMT
Etag: W/"fe0-fAa3KAP0U9YqI+w3kAP/h6ADoVI"
Paypal-Debug-Id: 3010c2bf6aa69
Set-Cookie: enforce_policy=; Path=/; Domain=paypal.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=None LANG=en_US%3BUS; Path=/; Domain=paypal.com; Expires=Wed, 19 Feb 2020 06:39:06 GMT; Max-Age=31556; HttpOnly; Secure; SameSite=None tsrce=unpshorturlnodeweb; Path=/; Domain=paypal.com; Expires=Fri, 21 Feb 2020 21:53:09 GMT; Max-Age=259199; HttpOnly; Secure; SameSite=None x-pp-s=eyJ0IjoiMTU4MjA2Mjc5MDIzNyIsImwiOiIwIiwibSI6IjAifQ; Path=/; Domain=paypal.com; HttpOnly; Secure; SameSite=None nsid=s%3A7fWaT5R_rj8mN3STEKMRAMU0aGj3tucz.%2FddIklGQ2GAoznpU16xLgaAr9TdSd5Y3wMrGNSpUuvA; Path=/; HttpOnly; Secure X-PP-SILOVER=name%3DLIVE3.WEB.1%26silo_version%3D880%26app%3Dunpshorturlnodeweb%26TIME%3D1582062790%26HTTP_X_PP_AZ_LOCATOR%3Ddcg12.slc; Path=/; Domain=paypal.com; Expires=Tue, 18 Feb 2020 22:23:10 GMT; HttpOnly; Secure; SameSite=None X-PP-L7=1; Path=/; Domain=paypal.com; Secure; SameSite=None
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Content-Length: 1740

GET
H2 200 app.css
www.paypalobjects.com/web/res/b5f/12b4a9da96fba3c903ae17fdcc16e/css/ 54 KB
14 KB 363ms
172ms Stylesheet
text/css 151.101.14.133
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL

https://www.paypalobjects.com/web/res/b5f/12b4a9da96fba3c903ae17fdcc16e/css/app.css

Requested by

Host: py.pl
URL: https://py.pl/auth/validatecaptcha

Protocol

H2

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

151.101.14.133 Frankfurt am Main, Germany, ASN54113 (FASTLY, US),

Reverse DNS

Software

Apache /

Resource Hash

b726f930dfb2fe747c5aba1d2a72f521efde6960103de4c7174cea1edaafde6b

Security Headers

Name	Value
Strict-Transport-Security	max-age=31557600
X-Content-Type-Options	nosniff

Request headers

Referer: https://py.pl/auth/validatecaptcha
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Dest: style

Response headers

date: Tue, 18 Feb 2020 21:53:10 GMT
via: 1.1 varnish, 1.1 varnish
x-content-type-options: nosniff
age: 966690
x-cache: HIT, HIT
status: 200
x-cache-hits: 1, 1
strict-transport-security: max-age=31557600
content-encoding: br
x-served-by: cache-sjc10035-SJC, cache-fra19139-FRA
last-modified: Fri, 23 Oct 2015 22:24:12 GMT
server: Apache
x-timer: S1582062791.625879,VS0,VE1
vary: Accept-Encoding
content-type: text/css
cache-control: max-age=7776000
accept-ranges: none
expires: Mon, 18 May 2020 21:53:10 GMT

GET
H2 200 logo_paypal_106x27.png
www.paypalobjects.com/webstatic/logo/ 3 KB
3 KB 287ms
96ms Image
image/png 151.101.14.133
FASTLY

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.paypalobjects.com/webstatic/logo/logo_paypal_106x27.png

Requested by

Host: py.pl
URL: https://py.pl/auth/validatecaptcha

Protocol

H2

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

151.101.14.133 Frankfurt am Main, Germany, ASN54113 (FASTLY, US),

Reverse DNS

Software

Apache /

Resource Hash

d5b4b06879f67d270c16984685854fffa267be3e05db4d025761676ddd46a1c9

Security Headers

Name	Value
Strict-Transport-Security	max-age=31557600
X-Content-Type-Options	nosniff

Request headers

Referer: https://py.pl/auth/validatecaptcha
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Dest: image

Response headers

date: Tue, 18 Feb 2020 21:53:10 GMT
via: 1.1 varnish, 1.1 varnish
x-content-type-options: nosniff
age: 2739928
x-cache: HIT, HIT
status: 200
x-cache-hits: 2, 5
strict-transport-security: max-age=31557600
content-encoding: br
x-served-by: cache-sjc10048-SJC, cache-fra19139-FRA
last-modified: Wed, 30 Apr 2014 15:54:51 GMT
server: Apache
x-timer: S1582062791.625823,VS0,VE0
vary: Accept-Encoding
content-type: image/png
cache-control: max-age=7776000
accept-ranges: none
expires: Mon, 18 May 2020 21:53:10 GMT

GET
H2 200 require.js Show response
www.paypalobjects.com/js/lib/requirejs/2.1.20/ 15 KB
8 KB 288ms
97ms Script
application/x-javascript 151.101.14.133
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL

https://www.paypalobjects.com/js/lib/requirejs/2.1.20/require.js

Requested by

Host: py.pl
URL: https://py.pl/auth/validatecaptcha

Protocol

H2

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

151.101.14.133 Frankfurt am Main, Germany, ASN54113 (FASTLY, US),

Reverse DNS

Software

Apache /

Resource Hash

d04169118448d14844d957998462c04a2ba0fd70fce512fe079db00f9493ad17

Security Headers

Name	Value
Strict-Transport-Security	max-age=31557600
X-Content-Type-Options	nosniff

Request headers

Referer: https://py.pl/auth/validatecaptcha
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Dest: script

Response headers

date: Tue, 18 Feb 2020 21:53:10 GMT
x-pad: avoid browser bug
x-content-type-options: nosniff
age: 2739411
x-cache: HIT, HIT
status: 200
x-cache-hits: 1, 2
strict-transport-security: max-age=31557600
content-encoding: br
x-served-by: cache-sjc10051-SJC, cache-fra19139-FRA
access-control-allow-origin: *
last-modified: Wed, 12 Aug 2015 17:53:29 GMT
server: Apache
x-timer: S1582062791.625886,VS0,VE0
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: application/x-javascript
via: 1.1 varnish, 1.1 varnish
cache-control: max-age=7776000
accept-ranges: none
access-control-allow-headers: x-csrf-token
expires: Mon, 18 May 2020 21:53:10 GMT

GET
H2 200 pa.js Show response
www.paypalobjects.com/pa/js/ 44 KB
21 KB 288ms
97ms Script
application/x-javascript 151.101.14.133
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL

https://www.paypalobjects.com/pa/js/pa.js

Requested by

Host: py.pl
URL: https://py.pl/auth/validatecaptcha

Protocol

H2

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

151.101.14.133 Frankfurt am Main, Germany, ASN54113 (FASTLY, US),

Reverse DNS

Software

Apache /

Resource Hash

25221963c670671390102df4d22bb0dfc0d2996ef7db578de1cdc5a220eef443

Security Headers

Name	Value
Strict-Transport-Security	max-age=31557600
X-Content-Type-Options	nosniff

Request headers

Referer: https://py.pl/auth/validatecaptcha
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Dest: script

Response headers

date: Tue, 18 Feb 2020 21:53:10 GMT
x-pad: avoid browser bug
x-content-type-options: nosniff
age: 10582
x-cache: HIT, HIT
status: 200
x-cache-hits: 197, 592
strict-transport-security: max-age=31557600
content-encoding: br
x-served-by: cache-sjc10047-SJC, cache-fra19139-FRA
access-control-allow-origin: *
last-modified: Sun, 16 Feb 2020 19:07:08 GMT
server: Apache
x-timer: S1582062791.625869,VS0,VE0
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: application/x-javascript
via: 1.1 varnish, 1.1 varnish
cache-control: max-age=3600
accept-ranges: none
access-control-allow-headers: x-csrf-token
expires: Tue, 18 Feb 2020 22:53:10 GMT

POST
H2 200 csp
www.paypal.com/csplog/api/log/ 0
0 624ms
337ms Other
text/plain 23.32.242.197
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to

Full URL: https://www.paypal.com/csplog/api/log/csp
Requested by: Host: py.pl
URL: https://py.pl/auth/validatecaptcha
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 23.32.242.197 , Netherlands, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS: a23-32-242-197.deploy.static.akamaitechnologies.com
Software: /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Referer: https://py.pl/auth/validatecaptcha
Origin: https://py.pl
Sec-Fetch-Dest: report
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type: application/csp-report

Response headers

GET
H2 200 app.js Show response
www.paypalobjects.com/web/res/b5f/12b4a9da96fba3c903ae17fdcc16e/js/ 218 B
332 B 95ms
94ms Script
application/x-javascript 151.101.14.133
FASTLY

General

Check archive.org

Show headers Download Go to

Full URL

https://www.paypalobjects.com/web/res/b5f/12b4a9da96fba3c903ae17fdcc16e/js/app.js

Requested by

Host: www.paypalobjects.com
URL: https://www.paypalobjects.com/js/lib/requirejs/2.1.20/require.js

Protocol

H2

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

151.101.14.133 Frankfurt am Main, Germany, ASN54113 (FASTLY, US),

Reverse DNS

Software

Apache /

Resource Hash

c45e884274a793b0d6f2a4f47da5249ac502d8214da1aee94e7a6954437e68ac

Security Headers

Name	Value
Strict-Transport-Security	max-age=31557600
X-Content-Type-Options	nosniff

Request headers

Referer: https://py.pl/auth/validatecaptcha
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Dest: script

Response headers

date: Tue, 18 Feb 2020 21:53:10 GMT
x-pad: avoid browser bug
x-content-type-options: nosniff
age: 2201031
x-cache: HIT, HIT, HIT
status: 200
x-cache-hits: 1, 1, 1
strict-transport-security: max-age=31557600
content-encoding: br
x-served-by: cache-sjc10043-SJC, cache-lax8629-LAX, cache-fra19139-FRA
access-control-allow-origin: *
last-modified: Fri, 23 Oct 2015 22:24:12 GMT
server: Apache
x-timer: S1582062791.865884,VS0,VE1
vary: Accept-Encoding
access-control-allow-methods: GET
content-type: application/x-javascript
via: 1.1 varnish, 1.1 varnish, 1.1 varnish
cache-control: max-age=7776000
accept-ranges: none
access-control-allow-headers: x-csrf-token
expires: Mon, 18 May 2020 21:53:10 GMT

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: PayPal (Financial)

9 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			py.pl/	1969-12-31 23:59:59	Name: nsid Value: s%3A7fWaT5R_rj8mN3STEKMRAMU0aGj3tucz.%2FddIklGQ2GAoznpU16xLgaAr9TdSd5Y3wMrGNSpUuvA

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
Content-Security-Policy	default-src 'self' https://.paypal.com https://.paypalobjects.com; script-src 'nonce-cu5hHI/mBWyB2xql4PflGIfMMSNu4BwE+V39wyUCN6RZ+ZgF' 'self' https://.paypal.com https://.paypalobjects.com 'unsafe-inline'; img-src 'self' https:; font-src 'self' https://.paypalobjects.com https://.paypal.com; form-action 'self' https://.paypal.com; base-uri 'self' https://.paypal.com; object-src 'none'; block-all-mixed-content; report-uri https://www.paypal.com/csplog/api/log/csp
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

py.pl
www.paypal.com
www.paypalobjects.com
151.101.14.133
23.32.242.197
66.211.169.14
1343e73b8e0064a59dcc35ec16bf91daef697c7598648c1f0021e41ca4629288
25221963c670671390102df4d22bb0dfc0d2996ef7db578de1cdc5a220eef443
b726f930dfb2fe747c5aba1d2a72f521efde6960103de4c7174cea1edaafde6b
c45e884274a793b0d6f2a4f47da5249ac502d8214da1aee94e7a6954437e68ac
d04169118448d14844d957998462c04a2ba0fd70fce512fe079db00f9493ad17
d5b4b06879f67d270c16984685854fffa267be3e05db4d025761676ddd46a1c9
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

py.pl Open in urlscan Pro 66.211.169.14 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Detected technologies

Page Statistics

7 Requests

100 %HTTPS

0 %IPv6

3 Domains

3 Subdomains

3 IPs

3 Countries

49 kBTransfer

121 kBSize

1 Cookies

2 Outgoing links

Redirected requests

7 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

9 JavaScript Global Variables

1 Cookies

Security Headers

Indicators

py.pl Open in urlscan Pro
66.211.169.14 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

7
Requests

100 %
HTTPS

0 %
IPv6

3
Domains

3
Subdomains

3
IPs

3
Countries

49 kB
Transfer

121 kB
Size

1
Cookies

7 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!