urlscan.io logo urlscan.io
SecurityTrails logo

estoniana.za.com Open in urlscan Pro
81.17.30.236  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
Submitted URL: https://etc.onl/ewSVj
Effective URL: https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejs...
Submission: On October 23 via manual from ES — Scanned from NL
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 2 IPs in 2 countries across 3 domains to perform 4 HTTP transactions. The main IP is 81.17.30.236, located in Zurich, Switzerland and belongs to PLI-AS, PA. The main domain is estoniana.za.com.
TLS certificate: Issued by R11 on October 16th 2024. Valid for: 3 months.
This is the only time estoniana.za.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Aruba (Online)

Domain & IP information

IP Address AS Autonomous System
1 1 2606:4700:303... 13335 (CLOUDFLAR...)
1 81.17.30.236 51852 (PLI-AS)
3 199.232.192.193 54113 (FASTLY)
4 2
Apex Domain
Subdomains		 Transfer
3 imgur.com
i.imgur.com — Cisco Umbrella Rank: 8556
261 KB
1 za.com
estoniana.za.com
33 KB
1 etc.onl
etc.onl
2 KB
4 3
Domain Requested by
3 i.imgur.com estoniana.za.com
1 estoniana.za.com
1 etc.onl 1 redirects
4 3

This site contains no links.

Subject Issuer Validity Valid
estoniana.za.com
R11		 2024-10-16 -
2025-01-14		 3 months crt.sh
*.imgur.com
Sectigo RSA Domain Validation Secure Server CA		 2024-02-15 -
2025-02-14		 a year crt.sh

This page contains 1 frames:

Primary Page: https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm
Frame ID: 3736366BE3081274128E586CD2428328
Requests: 4 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

Webmail Aruba

Page URL History Show full URLs

  1. https://etc.onl/ewSVj HTTP 301
    https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_... Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • /wp-(?:content|includes)/

Page Statistics

4
Requests

100 %
HTTPS

33 %
IPv6

3
Domains

3
Subdomains

2
IPs

2
Countries

294 kB
Transfer

292 kB
Size

2
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://etc.onl/ewSVj HTTP 301
    https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

4 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Primary Request uprdejspxm.htm
estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/
Redirect Chain
  • https://etc.onl/ewSVj
  • https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm
33 KB
33 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
81.17.30.236 Zurich, Switzerland, ASN51852 (PLI-AS, PA),
Reverse DNS
hostedby.privatelayer.com
Software
Apache /
Resource Hash
b14de29a669275cfd2982aede78c38c4d1816f51914506c3ed6ad48a8431d125

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36

Response headers

Accept-Ranges
bytes
Connection
Keep-Alive
Content-Length
33464
Content-Type
text/html
Date
Wed, 23 Oct 2024 15:25:22 GMT
Keep-Alive
timeout=5, max=100
Last-Modified
Wed, 23 Oct 2024 14:08:18 GMT
Server
Apache

Redirect headers

alt-svc
h3=":443"; ma=86400
cache-control
no-cache, no-store, private
cf-cache-status
DYNAMIC
cf-ray
8d72bd3e4ad1d0bd-AMS
content-type
text/html; charset=UTF-8
date
Wed, 23 Oct 2024 15:25:22 GMT
expires
-1
location
https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm
nel
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
pragma
no-cache
report-to
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qP4AGMnT2Bre%2ByIKbNTOYZRfF%2BZgXMb4I5i9SdKp5rIx4%2BgpXlIUoSQkZFOOQ0kibYhIVxjEldgOsawIsx%2BHDP6t5oI4xe0YoMFTRoWSXarp%2B4kGqNenoTI8c6Xok%2BwOjO%2Fxpg9F"}],"group":"cf-nel","max_age":604800}
server
cloudflare
server-timing
cfL4;desc="?proto=TCP&rtt=21159&sent=8&recv=13&lost=0&retrans=0&sent_bytes=3993&recv_bytes=2310&delivery_rate=262126&cwnd=254&unsent_bytes=0&cid=f23d3fd5db34b594&ts=1350&x=0"
SCSPzi4.png
i.imgur.com/ 		2 KB
2 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://i.imgur.com/SCSPzi4.png
Requested by
Host: estoniana.za.com
URL: https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
199.232.192.193 , United States, ASN54113 (FASTLY, US),
Reverse DNS
Software
cat factory 1.0 /
Resource Hash
3b7a295f7a4bab99ddaedb9798544a95e579a4efce4b3170c936f240026cca32
Security Headers
Name Value
Strict-Transport-Security max-age=300
X-Content-Type-Options nosniff

Request headers

User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer
https://estoniana.za.com/

Response headers

etag
"55c93dd10c32a4bbb55b9db8028780ca"
age
1876576
access-control-allow-methods
GET, OPTIONS
x-content-type-options
nosniff
x-cache
Miss from cloudfront, HIT, HIT
x-amz-cf-id
lBeNO1luRIUW1MTdVEG9oFUcKytRmW_QAel38ui0ACh2IhS8m-6IZA==
date
Wed, 23 Oct 2024 15:25:23 GMT
content-type
image/png
last-modified
Wed, 17 Jan 2024 17:34:39 GMT
x-cache-hits
43, 3
x-served-by
cache-iad-kiad7000162-IAD, cache-ams21056-AMS
strict-transport-security
max-age=300
cache-control
public, max-age=31536000
x-timer
S1729697124.784110,VS0,VE0
accept-ranges
bytes
access-control-allow-origin
*
content-length
1906
x-amz-cf-pop
IAD89-P1
server
cat factory 1.0
x-amz-server-side-encryption
AES256
XQfyneH.png
i.imgur.com/ 		257 KB
257 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://i.imgur.com/XQfyneH.png
Requested by
Host: estoniana.za.com
URL: https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
199.232.192.193 , United States, ASN54113 (FASTLY, US),
Reverse DNS
Software
cat factory 1.0 /
Resource Hash
cbe439d2bbb0367798048b063d99b1fd2355837d4ecc856407e50c4141f9d7f2
Security Headers
Name Value
Strict-Transport-Security max-age=300
X-Content-Type-Options nosniff

Request headers

User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer
https://estoniana.za.com/

Response headers

etag
"2c3c8a811d861705c03229a5833646f6"
age
497710
access-control-allow-methods
GET, OPTIONS
x-content-type-options
nosniff
x-cache
Miss from cloudfront, MISS, HIT
x-amz-cf-id
9PFaiQWveTm1S4d61JX-PTP8dfn_VBCVUgKRdfRySiGP-h0wtvmVfw==
date
Wed, 23 Oct 2024 15:25:23 GMT
content-type
image/png
last-modified
Thu, 17 Oct 2024 21:10:13 GMT
x-cache-hits
0, 0
x-served-by
cache-iad-kcgs7200073-IAD, cache-ams21056-AMS
strict-transport-security
max-age=300
cache-control
public, max-age=31536000
x-timer
S1729697124.784148,VS0,VE1
accept-ranges
bytes
access-control-allow-origin
*
content-length
263254
x-amz-cf-pop
IAD89-P1
server
cat factory 1.0
x-amz-server-side-encryption
AES256
20hdBFK.png
i.imgur.com/ 		609 B
850 B 		Other
General
Check archive.org
Download Go to
Full URL
https://i.imgur.com/20hdBFK.png
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
199.232.192.193 , United States, ASN54113 (FASTLY, US),
Reverse DNS
Software
cat factory 1.0 /
Resource Hash
ca8abfd1e71a10c486a26be86954293c5f62e1ff94ac52f9270a41c285243c5a
Security Headers
Name Value
Strict-Transport-Security max-age=300
X-Content-Type-Options nosniff

Request headers

User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Referer
https://estoniana.za.com/

Response headers

etag
"0ecb135733886ee9f5b6b3fb54baa6cf"
age
175947
access-control-allow-methods
GET, OPTIONS
x-content-type-options
nosniff
x-cache
Miss from cloudfront, HIT, HIT
x-amz-cf-id
eN1nXsORYJ8_cC2jUAZmwzN5rLNWZP7SpF4z_CaAb_4fwuNeDYC0vw==
date
Wed, 23 Oct 2024 15:25:24 GMT
content-type
image/png
last-modified
Tue, 31 May 2022 07:42:56 GMT
x-cache-hits
232, 3
x-served-by
cache-iad-kiad7000120-IAD, cache-ams21056-AMS
strict-transport-security
max-age=300
cache-control
public, max-age=31536000
x-timer
S1729697124.205386,VS0,VE0
accept-ranges
bytes
access-control-allow-origin
*
content-length
609
x-amz-cf-pop
IAD55-P7
server
cat factory 1.0

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Aruba (Online)

8 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

function| _TnvD4h58gdI59ysb45Rcn1oyyI8S39T7LDG0U0DYCLNKHpfo function| _XEs5oG59W9h3nQY3KK8NBxY057j0R63Uw28gpAf7xXMfV5kvM object| _$ object| _LaIQ84Ms8rZH09r8gfj8EH9A25CgyT2Ksb3MIs37q number| _SpP66Vb3kXEg95Sa9o2uD98LO object| _JJvC0a2dy0Wh421p9aNS4g object| _VFrGvH27MR9xPiQ64 object| _BwtI52wKNbxUdf1qZTJ26m5Ak5BI

2 Cookies

Domain/Path Name / Value
etc.onl/ Name: XSRF-TOKEN
Value: eyJpdiI6ImdGcnhHQ3k1THBJeVlhdVZBbmM4WGc9PSIsInZhbHVlIjoidGY3VXpUR3VKbUtyL0c5WHVqNlo4ODM2a2tNcm0yM0h3M0MyNkRjSVlBSmh6REMraVc0NkwrSStPYVNUd2dCTEh2bG0yTzg3T3VNR3Mzdlo1aUp6L3o4dXd0WHBtOEJMclcvMGdtTEQzQ1d4VHhKTUsyV3NWQ3U5TCs3cUdsTk8iLCJtYWMiOiI3MzA3ZmFjNjdjN2Y3ZDg4ZjIxMzlhNmUwYzRhYmNlMTg2ZTM5ZGUyZjMwMjQwYWZlM2U4M2NmMzM4NmMzZjNkIiwidGFnIjoiIn0%3D
etc.onl/ Name: etconl_free_url_shortner_session
Value: eyJpdiI6ImRaUUR6WUZaTmxCeEpOYVVnM0RabGc9PSIsInZhbHVlIjoiK000bGNPTVZKb091TndJd1lYOFhqNDEzNWVFNFBxTHFLSzh0SWt5aEU5cEY4dTV5R3VHZGJVWVlNaUlNNmQxb2hFREQ2eFltTkVuR21qR2VEMjVoRXpDSzhLSVo5MDV4a0RiT2ZTQURpT0lNeEV2YWNTS3NtMGFWZnNzSXFucisiLCJtYWMiOiJiMDM2OWQwYTcwZDlkNTFmNTAxNGY0NTJjMDdiNzM5MGM5ZDA4NTRmOTdlMzAwYzllYjdhNzAxZTI4OGJkNTUxIiwidGFnIjoiIn0%3D

1 Console Messages

Source Level URL
Text
recommendation verbose URL: https://estoniana.za.com/wp-includes/ain/tnymcba/pmsit/verifica.Upgrade_arubamailbox.my_account.sign_in.arubaJxsp/uprdejspxm.htm
Message:
[DOM] Input elements should have autocomplete attributes (suggested: "current-password"): (More info: https://goo.gl/9p2vKq) %o