urlscan.io logo urlscan.io
SecurityTrails logo

7cad22d3ba1a4f.lhr.life Open in urlscan Pro
54.172.225.3  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
Submitted URL: http://ibit.ly/oMwK
Effective URL: https://7cad22d3ba1a4f.lhr.life/verification/
Submission: On January 31 via manual from IN — Scanned from DE
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 3 IPs in 3 countries across 4 domains to perform 4 HTTP transactions. The main IP is 54.172.225.3, located in Ashburn, United States and belongs to AMAZON-AES, US. The main domain is 7cad22d3ba1a4f.lhr.life.
TLS certificate: Issued by Amazon on December 31st 2021. Valid for: a year.
This is the only time 7cad22d3ba1a4f.lhr.life was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: State Bank of India (Banking)

Domain & IP information

IP Address AS Autonomous System
2 2 2606:4700:303... 13335 (CLOUDFLAR...)
1 2406:da1a:e91... 16509 (AMAZON-02)
2 54.172.225.3 14618 (AMAZON-AES)
1 2a00:1450:400... 15169 (GOOGLE)
4 3
Apex Domain
Subdomains		 Transfer
2 lhr.life
7cad22d3ba1a4f.lhr.life
315 KB
2 ibit.ly
ibit.ly — Cisco Umbrella Rank: 887444
2 KB
1 googleapis.com
fonts.googleapis.com — Cisco Umbrella Rank: 47
1007 B
1 ngrok.io
776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io
351 B
4 4
Domain Requested by
2 7cad22d3ba1a4f.lhr.life 7cad22d3ba1a4f.lhr.life
2 ibit.ly 2 redirects
1 fonts.googleapis.com 7cad22d3ba1a4f.lhr.life
1 776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io
4 4

This site contains no links.

Subject Issuer Validity Valid
localhost.run
Amazon		 2021-12-31 -
2023-01-29		 a year crt.sh
upload.video.google.com
GTS CA 1C3		 2021-12-27 -
2022-03-21		 3 months crt.sh

This page contains 1 frames:

Primary Page: https://7cad22d3ba1a4f.lhr.life/verification/
Frame ID: 53BF10D7E5858B07E5C052E123503784
Requests: 4 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

Secure Website

Page URL History Show full URLs

  1. http://ibit.ly/oMwK HTTP 301
    https://ibit.ly/oMwK HTTP 301
    http://776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/ Page URL
  2. https://7cad22d3ba1a4f.lhr.life/verification/ Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • <link[^>]* href=[^>]+fonts\.(?:googleapis|google)\.com

Page Statistics

4
Requests

75 %
HTTPS

75 %
IPv6

4
Domains

4
Subdomains

3
IPs

3
Countries

316 kB
Transfer

316 kB
Size

2
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. http://ibit.ly/oMwK HTTP 301
    https://ibit.ly/oMwK HTTP 301
    http://776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/ Page URL
  2. https://7cad22d3ba1a4f.lhr.life/verification/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0
  • http://ibit.ly/oMwK HTTP 301
  • https://ibit.ly/oMwK HTTP 301
  • http://776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/

4 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
/
776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/
Redirect Chain
  • http://ibit.ly/oMwK
  • https://ibit.ly/oMwK
  • http://776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/
94 B
351 B 		Document
General
Check archive.org
Download Go to
Full URL
http://776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/
Protocol
HTTP/1.1
Server
2406:da1a:e91:9300::6e:0 Mumbai, India, ASN16509 (AMAZON-02, US),
Reverse DNS
Software
Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31 / PHP/7.3.31
Resource Hash
d2bd5d2bc787bbffc34f79fe4ddf868c19b42abbae1bdef85dae60b0dde89c8f

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Language
de-DE,de;q=0.9

Response headers

Content-Length
94
Content-Type
text/html; charset=UTF-8
Date
Mon, 31 Jan 2022 06:40:19 GMT
Ngrok-Agent-Ips
2401:4900:3625:4c7e:540a:4ac4:d992:7867
Server
Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31
X-Powered-By
PHP/7.3.31

Redirect headers

date
Mon, 31 Jan 2022 06:40:18 GMT
content-type
text/html; charset=UTF-8
location
http://776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/
x-content-type-options
nosniff
x-frame-options
SAMEORIGIN
x-whom
tly-2
x-xss-protection
1; mode=block
cf-cache-status
DYNAMIC
expect-ct
max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NjztKtN%2BW%2BYXsajBV6HRlXinTiFp5QIRsZqDkV5HT%2BRXMXfaGYbKPDekfXOcrqMy%2BAG8vr0ALVhLfXM01sGvl%2Bc12g%2B1PiCi2g%2FKnRRJZg3ecoQtHjgUi7m2gp%2Bh1wZf458dN21E"}],"group":"cf-nel","max_age":604800}
nel
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
strict-transport-security
max-age=15552000; includeSubDomains; preload
server
cloudflare
cf-ray
6d60f2a03c169182-FRA
alt-svc
h3=":443"; ma=86400, h3-29=":443"; ma=86400
Primary Request /
7cad22d3ba1a4f.lhr.life/verification/ 		880 B
1 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://7cad22d3ba1a4f.lhr.life/verification/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
54.172.225.3 Ashburn, United States, ASN14618 (AMAZON-AES, US),
Reverse DNS
ec2-54-172-225-3.compute-1.amazonaws.com
Software
Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31 / PHP/7.3.31
Resource Hash
a0370a53861190ae1119b2a54e455555c1453b08c073f5c4d56ef1dfa172e305

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept-Language
de-DE,de;q=0.9
Referer
http://776f-2401-4900-3625-4c7e-540a-4ac4-d992-7867.in.ngrok.io/

Response headers

Date
Mon, 31 Jan 2022 06:40:20 GMT
Server
Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31
X-Powered-By
PHP/7.3.31
Content-Length
880
Keep-Alive
timeout=5, max=100
Connection
Keep-Alive
Content-Type
text/html; charset=UTF-8
css
fonts.googleapis.com/ 		2 KB
1007 B 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://fonts.googleapis.com/css?family=Ubuntu+Condensed
Requested by
Host: 7cad22d3ba1a4f.lhr.life
URL: https://7cad22d3ba1a4f.lhr.life/verification/
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:831::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),
Reverse DNS
Software
ESF /
Resource Hash
3d83f5dd72fd22a364420ba7bf34d87a6ed5c44b415d80bc569ccb82802f4989
Security Headers
Name Value
Strict-Transport-Security max-age=31536000
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Accept-Language
de-DE,de;q=0.9
Referer
https://7cad22d3ba1a4f.lhr.life/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

Response headers

strict-transport-security
max-age=31536000
content-encoding
gzip
x-content-type-options
nosniff
cross-origin-resource-policy
cross-origin
alt-svc
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
x-xss-protection
0
last-modified
Mon, 31 Jan 2022 05:26:34 GMT
server
ESF
cross-origin-opener-policy
same-origin-allow-popups
date
Mon, 31 Jan 2022 06:40:20 GMT
x-frame-options
SAMEORIGIN
content-type
text/css; charset=utf-8
access-control-allow-origin
*
cache-control
private, max-age=86400, stale-while-revalidate=604800
timing-allow-origin
*
link
<https://fonts.gstatic.com>; rel=preconnect; crossorigin
expires
Mon, 31 Jan 2022 06:40:20 GMT
look.jpg
7cad22d3ba1a4f.lhr.life/verification/ 		313 KB
314 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://7cad22d3ba1a4f.lhr.life/verification/look.jpg
Requested by
Host: 7cad22d3ba1a4f.lhr.life
URL: https://7cad22d3ba1a4f.lhr.life/verification/
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
54.172.225.3 Ashburn, United States, ASN14618 (AMAZON-AES, US),
Reverse DNS
ec2-54-172-225-3.compute-1.amazonaws.com
Software
Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31 /
Resource Hash
f26cd63251bcad4975ccd13226f76eb7aa48a041619606fb641b26de9c0c1f02

Request headers

Accept-Language
de-DE,de;q=0.9
Referer
https://7cad22d3ba1a4f.lhr.life/verification/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

Response headers

Date
Mon, 31 Jan 2022 06:40:20 GMT
Last-Modified
Sun, 23 Jan 2022 10:19:26 GMT
Server
Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31
ETag
"4e5a5-5d63d2fbfc780"
Content-Type
image/jpeg
Connection
Keep-Alive
Accept-Ranges
bytes
Keep-Alive
timeout=5, max=99
Content-Length
320933

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: State Bank of India (Banking)

1 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

function| hideURLbar

2 Cookies

Domain/Path Name / Value
ibit.ly/ Name: XSRF-TOKEN
Value: eyJpdiI6IlFxSmJaZnNLM3lyMmlURTNtd2dML1E9PSIsInZhbHVlIjoiV0lGOWh1ZzQ5bmQxYWRSQWRLVTJqWEZiMVY5UUQxODRpOUFNcWdHdWROZ3JnRjk5UzErN3Y0djdkK0Ryekd1dFNseEttTTVUU2FsdTFzZzlpVUNMdUVhenNuTTU0WktTOEtSTjdKd0FVajkvamtXbGhodEI1S253QnlodnpuTzUiLCJtYWMiOiJmMmFjYzhhNTRkZWE2ZTlkMjkxOGUyNjZhNDk0NTE0NzQzYjI1YTRjNjJlMTA4YWFkYzAxMjM1YjhhNThiZmI5IiwidGFnIjoiIn0%3D
ibit.ly/ Name: tly_session
Value: eyJpdiI6IkhaSXMxKy9UN0FLYnBPWWhia1pxbWc9PSIsInZhbHVlIjoidUNybnpVcjZnTjdyMFA0TExCZytMc2xaZjB4ZFhMY1BjVnZlOUdhemNVSjhFMGdkQlhlYldPaUlkcXVpKytDYktwVE93c2VxemVxTUN2R05Ib2d4SHJ6YTEwWm1qWnlnMkc3L3l1V2YxZ01sWGZwa1FqZk9SSnFyeE5yaWJQR2EiLCJtYWMiOiJhZjc2NGZkZTY4NTRjZDM2MzVmYzhiNjVmNjM0OTQ0M2FkNzcyZDIzNWE3Zjc0YzY0NTEwOTQwZTgzNDk0ZjZjIiwidGFnIjoiIn0%3D