ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no Open in urlscan Pro
67.23.254.254  Malicious Activity! Public Scan

URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Submission: On September 02 via automatic, source openphish — Scanned from NO

Summary

This website contacted 5 IPs in 2 countries across 2 domains to perform 14 HTTP transactions. The main IP is 67.23.254.254, located in Orlando, United States and belongs to DIMENOC, US. The main domain is ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no.
This is the only time ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Wells Fargo (Banking)

Domain & IP information

IP Address AS Autonomous System
2 67.23.254.254 33182 (DIMENOC)
8 159.45.2.180 10837 (WELLSFARG...)
3 159.45.2.178 10837 (WELLSFARG...)
1 95.101.23.205 20940 (AKAMAI-ASN1)
14 5
Apex Domain
Subdomains
Transfer
12 wellsfargo.com
oam.wellsfargo.com — Cisco Umbrella Rank: 91775
static.wellsfargo.com — Cisco Umbrella Rank: 13480
rubicon.wellsfargo.com — Cisco Umbrella Rank: 11019
215 KB
2 xzone.no
ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
262 KB
14 2
Domain Requested by
8 oam.wellsfargo.com ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
3 static.wellsfargo.com ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
static.wellsfargo.com
2 ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no oam.wellsfargo.com
1 rubicon.wellsfargo.com ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
14 4

This site contains links to these domains. Also see Links.

Domain
www.wellsfargo.com
Subject Issuer Validity Valid
oam.wellsfargo.com
DigiCert EV RSA CA G2
2022-06-22 -
2023-06-22
a year crt.sh
static.wellsfargo.com
DigiCert EV RSA CA G2
2022-05-24 -
2023-05-24
a year crt.sh
rubicon.wellsfargo.com
Wells Fargo Public Trust Certification Authority 01 G2
2022-04-06 -
2023-04-06
a year crt.sh

This page contains 1 frames:

Primary Page: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Frame ID: 985377EAD3A5961E93F91B050B7B0D58
Requests: 18 HTTP requests in this frame

Screenshot

Page Title

Wells Fargo - Change your username

Detected technologies

Overall confidence: 100%
Detected patterns
  • adrum

Overall confidence: 100%
Detected patterns
  • jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?

Page Statistics

14
Requests

86 %
HTTPS

0 %
IPv6

2
Domains

4
Subdomains

5
IPs

2
Countries

477 kB
Transfer

909 kB
Size

2
Cookies

Redirected requests

There were HTTP redirect chains for the following requests:

14 HTTP transactions

Resource
Path
Size
x-fer
Type
MIME-Type
Primary Request scd.html
ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/
261 KB
261 KB
Document
General
Full URL
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Server
67.23.254.254 Orlando, United States, ASN33182 (DIMENOC, US),
Reverse DNS
reseller-223.mco2.hostdime.com
Software
Apache /
Resource Hash
5767a46778dd35b2beb9c0460def99d939c57d4ee349b47342c27d82e8d0bb43

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36
accept-language
no-NO,no;q=0.9

Response headers

Accept-Ranges
bytes
Connection
Upgrade, Keep-Alive
Content-Length
266909
Content-Type
text/html
Date
Fri, 02 Sep 2022 02:34:16 GMT
Keep-Alive
timeout=5, max=100
Last-Modified
Fri, 25 Feb 2022 00:41:40 GMT
Server
Apache
Upgrade
h2,h2c
theme.ssep.credential.remediation.css
oam.wellsfargo.com/oam/static/css/ssep/
85 KB
36 KB
Stylesheet
General
Full URL
https://oam.wellsfargo.com/oam/static/css/ssep/theme.ssep.credential.remediation.css?v=571149307C
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
87b6fcccb056c907e50541ce1f161a20fa8f5c98e089b61615596cf1744ddc07
Security Headers
Name Value
Content-Security-Policy default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:17 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Sat, 13 Aug 2022 06:49:57 GMT
Server
KONICHIWA/1.1
X-Frame-Options
SAMEORIGIN
ETag
W/"62f74995-15429"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
text/css
Cache-Control
max-age=86400
Transfer-Encoding
chunked
Content-Security-Policy
default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
globalFooter.css
oam.wellsfargo.com/oam/static/css/global/
4 KB
2 KB
Stylesheet
General
Full URL
https://oam.wellsfargo.com/oam/static/css/global/globalFooter.css?v=571149307C
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
ae83aa0fd023bb0d3130a0572572f68f447a90b36c87d608702b353d1e3a8146
Security Headers
Name Value
Content-Security-Policy default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:17 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Sat, 13 Aug 2022 06:49:57 GMT
Server
KONICHIWA/1.1
X-Frame-Options
SAMEORIGIN
ETag
W/"62f74995-e13"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
text/css
Cache-Control
max-age=86400
Transfer-Encoding
chunked
Content-Security-Policy
default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
adrum-ext.js
oam.wellsfargo.com/oam/static/js/appd/
45 KB
15 KB
Script
General
Full URL
https://oam.wellsfargo.com/oam/static/js/appd/adrum-ext.js?v=571149307C
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
b78d57e1736f692e67a9f3e3762b84993e8984d3d7d72bc9a55e4913880ef3d7
Security Headers
Name Value
Content-Security-Policy default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:17 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Sat, 13 Aug 2022 06:49:57 GMT
Server
KONICHIWA/1.1
X-Frame-Options
SAMEORIGIN
ETag
W/"62f74995-b218"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
application/javascript; charset=utf-8
Cache-Control
max-age=86400
Transfer-Encoding
chunked
Content-Security-Policy
default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
icn-nav-home-glob-18x17-000720-v01_00@1x.png
oam.wellsfargo.com/oam/images/
239 B
3 KB
Image
General
Full URL
https://oam.wellsfargo.com/oam/images/icn-nav-home-glob-18x17-000720-v01_00@1x.png
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
ec04389b5b81da4ce01879e7bc68a8cc1fe2b912efb16b01ea511b80f923f79f
Security Headers
Name Value
Content-Security-Policy default-src https:; object-src 'none'; script-src 'nonce-8535a3d0-8aa9-4585-b1e4-2e2d5daa074d' 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; style-src 'unsafe-inline' 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; img-src https: data:; font-src data: 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; frame-ancestors 'none'; base-uri 'none'; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Content-Security-Policy
default-src https:; object-src 'none'; script-src 'nonce-8535a3d0-8aa9-4585-b1e4-2e2d5daa074d' 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; style-src 'unsafe-inline' 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; img-src https: data:; font-src data: 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; frame-ancestors 'none'; base-uri 'none'; report-uri https://ort.wellsfargo.com/reporting/csp
X-Content-Type-Options
nosniff
Content-Security-Policy-Report-Only
default-src 'none'; script-src 'nonce-8535a3d0-8aa9-4585-b1e4-2e2d5daa074d' 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; img-src data: 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; style-src 'unsafe-inline' 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; font-src data: 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; connect-src 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com https://pdx-col.eum-appdynamics.com; form-action 'self' https://*.wellsfargo.com https://*.wellsfargo.com:* https://wellsfargo.com; plugin-types 'none'; frame-src 'self' https://*.wellsfargo.com https://*.wellsfargoadvisors.com https://*.wfinterface.com https://*.wellsfargomedia.com https://wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Content-Length
239
X-XSS-Protection
1; mode=block
Pragma
no-cache
Last-Modified
Thu, 11 Aug 2022 01:33:28 GMT
Server
KONICHIWA/1.1
X-Frame-Options
DENY
Date
Fri, 02 Sep 2022 02:34:17 GMT
Strict-Transport-Security
max-age=31536000
Content-Type
image/png
Cache-Control
no-cache, no-store, max-age=0
ETag
W/"239-1660181608000"
Accept-Ranges
bytes
Keep-Alive
timeout=600
Expires
-1
icn-ind-confirm-customer-level-glob-36x28-000720-v01-00-@1x.png
oam.wellsfargo.com/oam/static/images/
271 B
1023 B
Image
General
Full URL
https://oam.wellsfargo.com/oam/static/images/icn-ind-confirm-customer-level-glob-36x28-000720-v01-00-@1x.png
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
c3eae7afa0de88591ea3db2996b72ba0592ae63f0b9e0ffca90f03bcdab4775a
Security Headers
Name Value
Content-Security-Policy default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:18 GMT
X-Content-Type-Options
nosniff
Last-Modified
Sat, 13 Aug 2022 06:49:50 GMT
Server
KONICHIWA/1.1
X-Frame-Options
SAMEORIGIN
ETag
"62f7498e-10f"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
image/png
Cache-Control
max-age=86400
Content-Security-Policy
default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Accept-Ranges
bytes
Content-Length
271
X-XSS-Protection
1; mode=block
jquery.min.js
oam.wellsfargo.com/oam/static/js/
87 KB
31 KB
Script
General
Full URL
https://oam.wellsfargo.com/oam/static/js/jquery.min.js?v=571149307C
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d
Security Headers
Name Value
Content-Security-Policy default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:17 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Sat, 13 Aug 2022 06:49:57 GMT
Server
KONICHIWA/1.1
X-Frame-Options
SAMEORIGIN
ETag
W/"62f74995-15d84"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
application/javascript; charset=utf-8
Cache-Control
max-age=86400
Transfer-Encoding
chunked
Content-Security-Policy
default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
nativeapp-bridge-min.js
oam.wellsfargo.com/oam/static/js/
5 KB
3 KB
Script
General
Full URL
https://oam.wellsfargo.com/oam/static/js/nativeapp-bridge-min.js?v=571149307C
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
c88f9e693aac54facd0bcabe4193977dc791ae30529a2771ae564f08ffdb9a6d
Security Headers
Name Value
Content-Security-Policy default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:17 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Sat, 13 Aug 2022 06:49:50 GMT
Server
KONICHIWA/1.1
X-Frame-Options
SAMEORIGIN
ETag
W/"62f7498e-12c7"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
application/javascript; charset=utf-8
Cache-Control
max-age=86400
Transfer-Encoding
chunked
Content-Security-Policy
default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
change.username.js
oam.wellsfargo.com/oam/static/js/combined/
45 KB
8 KB
Script
General
Full URL
https://oam.wellsfargo.com/oam/static/js/combined/change.username.js?v=571149307C
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.180 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
KONICHIWA/1.1 /
Resource Hash
5abf3d85672a57957d2399dc0d5eb7a0becf8235b521973be6cf7be72cbd64d7
Security Headers
Name Value
Content-Security-Policy default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:17 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Sat, 13 Aug 2022 06:49:57 GMT
Server
KONICHIWA/1.1
X-Frame-Options
SAMEORIGIN
ETag
W/"62f74995-b2a5"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
application/javascript; charset=utf-8
Cache-Control
max-age=86400
Transfer-Encoding
chunked
Content-Security-Policy
default-src 'self'; script-src 'self'; object-src 'self'; frame-ancestors 'self'; style-src 'self' https://wellsfargo.com https://*.wellsfargo.com; report-uri https://ort.wellsfargo.com/reporting/csp
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
truncated
/
43 B
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
89fe0ee6020314794fc2cfeacf3d10c31050cfe56f8ebddf1ed0a33fbe941fa7

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Content-Type
image/gif
truncated
/
395 B
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
00b2519c3ecb866ffc2be3565c3c5199ce0b8f07c7e627404a0253e73f00c83e

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Content-Type
image/png
truncated
/
2 KB
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
1905884317b7966c4f1751ee4cb9b3b1475e09dec8ffab9e6f5cc0a007c68d36

Request headers

accept-language
no-NO,no;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Content-Type
image/png
utag.js
static.wellsfargo.com/tracking/secure-auth/
35 KB
11 KB
Script
General
Full URL
https://static.wellsfargo.com/tracking/secure-auth/utag.js
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.178 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
/
Resource Hash
d760e3537667a9d208c2d46f5dbcbd8a1bbb818d868a0d46226b35eac7194558
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:18 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Sat, 05 Feb 2022 01:06:23 GMT
X-Frame-Options
SAMEORIGIN
ETag
W/"61fdcd8f-8cd2"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
application/javascript; charset=utf-8
Cache-Control
max-age=1800
Transfer-Encoding
chunked
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
truncated
/
89 B
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
50e6072d26098d48004a30addeecabd5b22b91e5ccdf9dd86f96459783e3ac23

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Content-Type
image/png
adrum-ext.b4436be974de477658d4a93afb752165.js
ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/oam/static/js/appd/
808 B
1015 B
Script
General
Full URL
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/oam/static/js/appd/adrum-ext.b4436be974de477658d4a93afb752165.js
Requested by
Host: oam.wellsfargo.com
URL: https://oam.wellsfargo.com/oam/static/js/appd/adrum-ext.js?v=571149307C
Protocol
HTTP/1.1
Server
67.23.254.254 Orlando, United States, ASN33182 (DIMENOC, US),
Reverse DNS
reseller-223.mco2.hostdime.com
Software
Apache /
Resource Hash
8e33419228d18b065817e0f34dfed2202cc29ca4401d434b0a442d0829633890

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:19 GMT
Server
Apache
Connection
Keep-Alive
Keep-Alive
timeout=5, max=99
Transfer-Encoding
chunked
Content-Type
text/html; charset=UTF-8
utag.5.js
static.wellsfargo.com/tracking/secure-auth/
7 KB
3 KB
Script
General
Full URL
https://static.wellsfargo.com/tracking/secure-auth/utag.5.js?utv=ut4.48.202202030106
Requested by
Host: static.wellsfargo.com
URL: https://static.wellsfargo.com/tracking/secure-auth/utag.js
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.178 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
/
Resource Hash
0b44ee80e827c63eb7c8d953a67dc158c6154bdb2fea0969175e898600ecc9d2
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:19 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Thu, 15 Jul 2021 21:15:23 GMT
X-Frame-Options
SAMEORIGIN
ETag
W/"60f0a56b-1a5d"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
application/javascript; charset=utf-8
Cache-Control
max-age=1800
Transfer-Encoding
chunked
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
detector-dom.min.js
static.wellsfargo.com/tracking/gb/
333 KB
102 KB
Script
General
Full URL
https://static.wellsfargo.com/tracking/gb/detector-dom.min.js
Requested by
Host: static.wellsfargo.com
URL: https://static.wellsfargo.com/tracking/secure-auth/utag.js
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
159.45.2.178 , United States, ASN10837 (WELLSFARGO-10837, US),
Reverse DNS
Software
/
Resource Hash
9a5e8cb8c0d7468337c96ba9de5c90701a038a135975b1f4444bde35cb0eb212
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Date
Fri, 02 Sep 2022 02:34:19 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Tue, 13 Apr 2021 21:15:19 GMT
X-Frame-Options
SAMEORIGIN
ETag
W/"607609e7-532b0"
Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Type
application/javascript; charset=utf-8
Cache-Control
max-age=1800
Transfer-Encoding
chunked
Connection
keep-alive
Vary
Accept-Encoding
X-XSS-Protection
1; mode=block
cls_report
rubicon.wellsfargo.com/glassbox/reporting/0C458F45-AC71-02CE-34D8-401C8A313B38/
50 B
1 KB
XHR
General
Full URL
https://rubicon.wellsfargo.com/glassbox/reporting/0C458F45-AC71-02CE-34D8-401C8A313B38/cls_report?_cls_s=3169a947-3e48-497d-a3c2-8946b551f47f%3A0&_cls_v=30115fb9-3355-47c4-8ef1-602eded004bc
Requested by
Host: ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
URL: http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/a/1/scd.html
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_256_GCM
Server
95.101.23.205 Vienna, Austria, ASN20940 (AKAMAI-ASN1, NL),
Reverse DNS
a95-101-23-205.deploy.static.akamaitechnologies.com
Software
/
Resource Hash
721bd45c2dd46ac9372ff58395b4bb790f2b340251313ac6ebe7a0a45aff5e0d
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubdomains;
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

accept-language
no-NO,no;q=0.9
Referer
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.52 Safari/537.36

Response headers

Strict-Transport-Security
max-age=31536000; includeSubdomains;
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Date
Fri, 02 Sep 2022 02:34:20 GMT
X-Frame-Options
SAMEORIGIN
Content-Type
application/json; charset=utf-8
Access-Control-Allow-Origin
http://ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
Access-Control-Allow-Credentials
true
Connection
keep-alive
Vary
origin, Accept-Encoding
Content-Length
76
X-XSS-Protection
1; mode=block

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Wells Fargo (Banking)

39 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| onbeforeinput object| oncontextlost object| oncontextrestored function| structuredClone object| launchQueue object| onbeforematch object| navigation object| antiClickjack number| adrum-start-time object| adrum-config object| ADRUM function| $ function| jQuery object| nativeapp object| SSEPAjax object| SSEPLightbox object| SSEPTimeoutDialog object| Validation object| SSEPNavMenu object| SSEPChangeUsername string| nonce undefined| isNativeApp undefined| cachedSize undefined| setMinHeight object| utag_data number| inqSiteID boolean| utag_condload string| new_path object| utag_cfg_ovrd object| userAgentArr object| utag function| isNotUndefinedOrNull function| getDocumentTitleLabel function| sendDataToGA boolean| __tealium_twc_switch function| utag_pad function| utag_visitor_id object| _detector undefined| optimizely

2 Cookies

Domain/Path Name / Value
rubicon.wellsfargo.com/glassbox/reporting/0C458F45-AC71-02CE-34D8-401C8A313B38 Name: _cls_v
Value: 30115fb9-3355-47c4-8ef1-602eded004bc
rubicon.wellsfargo.com/glassbox/reporting/0C458F45-AC71-02CE-34D8-401C8A313B38 Name: _cls_s
Value: 3169a947-3e48-497d-a3c2-8946b551f47f:0

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

oam.wellsfargo.com
rubicon.wellsfargo.com
static.wellsfargo.com
ywpe9v2jfwyogydzzaddswxbia6fpncmi9n8ipm4hl5eoutr7mhxrbiqrkt8tlq.xzone.no
159.45.2.178
159.45.2.180
67.23.254.254
95.101.23.205
00b2519c3ecb866ffc2be3565c3c5199ce0b8f07c7e627404a0253e73f00c83e
0b44ee80e827c63eb7c8d953a67dc158c6154bdb2fea0969175e898600ecc9d2
1905884317b7966c4f1751ee4cb9b3b1475e09dec8ffab9e6f5cc0a007c68d36
50e6072d26098d48004a30addeecabd5b22b91e5ccdf9dd86f96459783e3ac23
5767a46778dd35b2beb9c0460def99d939c57d4ee349b47342c27d82e8d0bb43
5abf3d85672a57957d2399dc0d5eb7a0becf8235b521973be6cf7be72cbd64d7
721bd45c2dd46ac9372ff58395b4bb790f2b340251313ac6ebe7a0a45aff5e0d
87b6fcccb056c907e50541ce1f161a20fa8f5c98e089b61615596cf1744ddc07
89fe0ee6020314794fc2cfeacf3d10c31050cfe56f8ebddf1ed0a33fbe941fa7
8e33419228d18b065817e0f34dfed2202cc29ca4401d434b0a442d0829633890
9a5e8cb8c0d7468337c96ba9de5c90701a038a135975b1f4444bde35cb0eb212
ae83aa0fd023bb0d3130a0572572f68f447a90b36c87d608702b353d1e3a8146
b78d57e1736f692e67a9f3e3762b84993e8984d3d7d72bc9a55e4913880ef3d7
c3eae7afa0de88591ea3db2996b72ba0592ae63f0b9e0ffca90f03bcdab4775a
c88f9e693aac54facd0bcabe4193977dc791ae30529a2771ae564f08ffdb9a6d
d760e3537667a9d208c2d46f5dbcbd8a1bbb818d868a0d46226b35eac7194558
ec04389b5b81da4ce01879e7bc68a8cc1fe2b912efb16b01ea511b80f923f79f
f7f6a5894f1d19ddad6fa392b2ece2c5e578cbf7da4ea805b6885eb6985b6e3d