URL: https://neitflix-ar.com/oam-login.php
Submission Tags: falconsandbox
Submission: On February 11 via api from US — Scanned from DE

Summary

This website contacted 4 IPs in 2 countries across 5 domains to perform 7 HTTP transactions. The main IP is 192.185.71.15, located in United States and belongs to UNIFIEDLAYER-AS-1, US. The main domain is neitflix-ar.com.
TLS certificate: Issued by R3 on February 8th 2022. Valid for: 3 months.
This is the only time neitflix-ar.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Netflix (Online)

Domain & IP information

IP Address AS Autonomous System
3 192.185.71.15 46606 (UNIFIEDLA...)
2 2 195.154.113.3 12876 (Online SAS)
1 163.172.59.20 12876 (Online SAS)
1 2a00:86c0:209... 40027 (NETFLIX-ASN)
7 4
Apex Domain
Subdomains
Transfer
3 neitflix-ar.com
neitflix-ar.com
20 KB
2 top4top.io
3.top4top.io
i.top4top.io
1 MB
1 nflxext.com
assets.nflxext.com — Cisco Umbrella Rank: 4787
78 KB
1 top4top.net
3.top4top.net
88 B
0 holmanonline.com Failed
assets.nflxext.holmanonline.com Failed
7 5
Domain Requested by
3 neitflix-ar.com neitflix-ar.com
1 assets.nflxext.com neitflix-ar.com
1 i.top4top.io neitflix-ar.com
1 3.top4top.io 1 redirects
1 3.top4top.net 1 redirects
0 assets.nflxext.holmanonline.com Failed neitflix-ar.com
7 6

This site contains no links.

Subject Issuer Validity Valid
neitflix-ar.com.probusinesscompany.com
R3
2022-02-08 -
2022-05-09
3 months crt.sh
*.1.nflxso.net
DigiCert TLS RSA SHA256 2020 CA1
2022-02-03 -
2022-03-08
a month crt.sh

This page contains 1 frames:

Primary Page: https://neitflix-ar.com/oam-login.php
Frame ID: 02FB77EC3E0D4311BEA08E05E83579AE
Requests: 7 HTTP requests in this frame

Screenshot

Page Title

Netflix

Detected technologies

Overall confidence: 100%
Detected patterns
  • \.php(?:$|\?)

Overall confidence: 100%
Detected patterns
  • <[^>]+data-react

Page Statistics

7
Requests

57 %
HTTPS

25 %
IPv6

5
Domains

6
Subdomains

4
IPs

2
Countries

1567 kB
Transfer

1632 kB
Size

0
Cookies

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 4
  • https://3.top4top.net/p_142705xbg1.png HTTP 301
  • https://3.top4top.io/p_142705xbg1.png HTTP 302
  • https://i.top4top.io/p_142705xbg1.png

7 HTTP transactions

Resource
Path
Size
x-fer
Type
MIME-Type
Primary Request oam-login.php
neitflix-ar.com/
4 KB
1 KB
Document
General
Full URL
https://neitflix-ar.com/oam-login.php
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
192.185.71.15 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS
gator4185.hostgator.com
Software
Apache /
Resource Hash
d4f860902b5016f6f716623feab9195e24a47d242231dda667fa712e43776a8c

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
Accept-Language
de-DE,de;q=0.9

Response headers

vary
Accept-Encoding
content-encoding
gzip
content-length
1406
content-type
text/html; charset=UTF-8
date
Fri, 11 Feb 2022 14:15:18 GMT
server
Apache
z.css
neitflix-ar.com/css/
35 KB
8 KB
Stylesheet
General
Full URL
https://neitflix-ar.com/css/z.css
Requested by
Host: neitflix-ar.com
URL: https://neitflix-ar.com/oam-login.php
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
192.185.71.15 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS
gator4185.hostgator.com
Software
Apache /
Resource Hash
865ff2ca0947e876f04a570a09633832091736c24e78366ae0dfbe6bceb11057

Request headers

Accept-Language
de-DE,de;q=0.9
Referer
https://neitflix-ar.com/oam-login.php
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

Response headers

date
Fri, 11 Feb 2022 14:15:20 GMT
content-encoding
gzip
last-modified
Thu, 28 Nov 2019 22:46:58 GMT
server
Apache
vary
Accept-Encoding
content-type
text/css
accept-ranges
bytes
content-length
8516
a.css
neitflix-ar.com/css/
49 KB
10 KB
Stylesheet
General
Full URL
https://neitflix-ar.com/css/a.css
Requested by
Host: neitflix-ar.com
URL: https://neitflix-ar.com/oam-login.php
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
192.185.71.15 , United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS
gator4185.hostgator.com
Software
Apache /
Resource Hash
698fb5d54408ab060621f9ea2afe61243bc13b693d92fde9f59e4a2fe6d986cd

Request headers

Accept-Language
de-DE,de;q=0.9
Referer
https://neitflix-ar.com/oam-login.php
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

Response headers

date
Fri, 11 Feb 2022 14:15:20 GMT
content-encoding
gzip
last-modified
Thu, 28 Nov 2019 22:34:00 GMT
server
Apache
vary
Accept-Encoding
content-type
text/css
accept-ranges
bytes
content-length
10316
Modernizr-2.5.3.forms.js
assets.nflxext.holmanonline.com/webalizer/images/modernizr.com/
0
0

html5Forms.js
assets.nflxext.holmanonline.com/webalizer/images/
0
0

p_142705xbg1.png
i.top4top.io/
Redirect Chain
  • https://3.top4top.net/p_142705xbg1.png
  • https://3.top4top.io/p_142705xbg1.png
  • https://i.top4top.io/p_142705xbg1.png
1 MB
1 MB
Image
General
Full URL
https://i.top4top.io/p_142705xbg1.png
Requested by
Host: neitflix-ar.com
URL: https://neitflix-ar.com/css/a.css
Protocol
H2
Server
163.172.59.20 , France, ASN12876 (Online SAS, FR),
Reverse DNS
163-172-59-20.rev.poneytelecom.eu
Software
nginx /
Resource Hash
ff9c631a863e781506433428ad7577bfea44b8e1bcfdbf04fe90df72c2ff9940

Request headers

Accept-Language
de-DE,de;q=0.9
Referer
https://neitflix-ar.com/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

Response headers

x-file-id
x30528836x
date
Fri, 11 Feb 2022 14:15:20 GMT
last-modified
Thu, 28 Nov 2019 14:39:59 GMT
server
nginx
etag
"5ddfdc3f-16ebf7"
content-type
image/png
cache-control
max-age=7200
content-disposition
inline; filename="netbackround.PNG"
accept-ranges
bytes
content-length
1502199
expires
Fri, 11 Feb 2022 16:15:20 GMT

Redirect headers

location
https://i.top4top.io/p_142705xbg1.png
date
Fri, 11 Feb 2022 14:15:20 GMT
server
nginx
content-length
59
vary
Accept
content-type
text/plain; charset=utf-8
nf-icon-v1-80.woff
assets.nflxext.com/ffe/siteui/fonts/
78 KB
78 KB
Font
General
Full URL
https://assets.nflxext.com/ffe/siteui/fonts/nf-icon-v1-80.woff
Requested by
Host: neitflix-ar.com
URL: https://neitflix-ar.com/css/z.css
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
2a00:86c0:2090::1 , United States, ASN40027 (NETFLIX-ASN, US),
Reverse DNS
Software
nginx /
Resource Hash
2555364bdd6374d0c273c69322f2f78554c02fe630ee6582eeb2d2c9031d1a9d

Request headers

Referer
https://neitflix-ar.com/
Origin
https://neitflix-ar.com
Accept-Language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

Response headers

Date
Fri, 11 Feb 2022 14:15:20 GMT
Last-Modified
Thu, 28 Jan 2016 20:46:04 GMT
Server
nginx
Content-MD5
GkWpE2r/FESZk08OjSTsgQ==
Content-Type
font/woff
Access-Control-Allow-Origin
*
Cache-Control
max-age=604801
Connection
keep-alive
Accept-Ranges
bytes
Content-Length
79392
Expires
Fri, 18 Feb 2022 14:15:21 GMT

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain
assets.nflxext.holmanonline.com
URL
http://assets.nflxext.holmanonline.com/webalizer/images/modernizr.com/Modernizr-2.5.3.forms.js
Domain
assets.nflxext.holmanonline.com
URL
http://assets.nflxext.holmanonline.com/webalizer/images/html5Forms.js

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Netflix (Online)

1 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

function| structuredClone

0 Cookies

2 Console Messages

Source Level URL
Text
security error URL: https://neitflix-ar.com/oam-login.php
Message:
Mixed Content: The page at 'https://neitflix-ar.com/oam-login.php' was loaded over HTTPS, but requested an insecure script 'http://assets.nflxext.holmanonline.com/webalizer/images/modernizr.com/Modernizr-2.5.3.forms.js'. This request has been blocked; the content must be served over HTTPS.
security error URL: https://neitflix-ar.com/oam-login.php
Message:
Mixed Content: The page at 'https://neitflix-ar.com/oam-login.php' was loaded over HTTPS, but requested an insecure script 'http://assets.nflxext.holmanonline.com/webalizer/images/html5Forms.js'. This request has been blocked; the content must be served over HTTPS.