urlscan.io logo urlscan.io
SecurityTrails logo

coinbase.21989-4491.s2.webspace.re Open in urlscan Pro
91.218.65.223  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
Submitted URL: https://t.co/sA71Xl5qV7
Effective URL: https://coinbase.21989-4491.s2.webspace.re/coinbase/
Submission: On November 28 via manual from NL — Scanned from NL
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 4 IPs in 3 countries across 6 domains to perform 9 HTTP transactions. The main IP is 91.218.65.223, located in Frankfurt am Main, Germany and belongs to SYNLINQ synlinq.de, DE. The main domain is coinbase.21989-4491.s2.webspace.re.
TLS certificate: Issued by R3 on November 25th 2022. Valid for: 3 months.
This is the only time coinbase.21989-4491.s2.webspace.re was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Community Verdicts: Malicious2 votes Show Verdicts

Domain & IP information

IP Address AS Autonomous System
1 104.244.42.197 13414 (TWITTER)
1 1 3.228.239.40 14618 (AMAZON-AES)
1 1 45.126.58.78 132647 (IDNIC-PAN...)
1 185.239.208.33 51167 (CONTABO)
1 173.212.219.206 51167 (CONTABO)
1 7 91.218.65.223 44486 (SYNLINQ s...)
9 4
1    104.244.42.197 (United States)

ASN13414 (TWITTER, US)
t.co
1    3.228.239.40 (Ashburn, United States)

ASN14618 (AMAZON-AES, US)
PTR: ec2-3-228-239-40.compute-1.amazonaws.com
rebrand.ly
1    45.126.58.78 (Indonesia)

ASN132647 (IDNIC-PANDI-AS-ID Pengelola Nama Domain Internet Indonesia, ID)
s.id
1    185.239.208.33 (Düsseldorf, Germany)

ASN51167 (CONTABO, DE)
PTR: ip-33-208-239-185.static.contabo.net
hamayattibabe.com
1    173.212.219.206 (Nuremberg, Germany)

ASN51167 (CONTABO, DE)
PTR: ns2021.itlinks.com
civiltob.com
7    91.218.65.223 (Frankfurt am Main, Germany)

ASN44486 (SYNLINQ synlinq.de, DE)
PTR: plesk2.living-bots.net
coinbase.21989-4491.s2.webspace.re
Apex Domain
Subdomains		 Transfer
7 webspace.re
coinbase.21989-4491.s2.webspace.re
21 KB
1 civiltob.com
civiltob.com
357 B
1 hamayattibabe.com
hamayattibabe.com
351 B
1 s.id
s.id — Cisco Umbrella Rank: 121249
176 B
1 rebrand.ly
rebrand.ly — Cisco Umbrella Rank: 48792
278 B
1 t.co
t.co — Cisco Umbrella Rank: 497
550 B
9 6
Domain Requested by
7 coinbase.21989-4491.s2.webspace.re 1 redirects coinbase.21989-4491.s2.webspace.re
1 civiltob.com
1 hamayattibabe.com t.co
1 s.id 1 redirects
1 rebrand.ly 1 redirects
1 t.co
9 6

This site contains links to these domains. Also see Links.

Domain
coinbase.com
Subject Issuer Validity Valid
t.co
DigiCert TLS Hybrid ECC SHA384 2020 CA1		 2022-03-07 -
2023-03-06		 a year crt.sh
hamayattibabe.com
cPanel, Inc. Certification Authority		 2022-09-17 -
2022-12-16		 3 months crt.sh
*.civiltob.com
R3		 2022-10-27 -
2023-01-25		 3 months crt.sh
coinbase.21989-4491.s2.webspace.re
R3		 2022-11-25 -
2023-02-23		 3 months crt.sh

This page contains 1 frames:

Primary Page: https://coinbase.21989-4491.s2.webspace.re/coinbase/
Frame ID: 86DE2647265706378EB6CE08E190B2A7
Requests: 9 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

Coinbase - Sign InCoinbase logo

Page URL History Show full URLs

  1. https://t.co/sA71Xl5qV7 Page URL
  2. https://rebrand.ly/353f98 HTTP 301
    https://s.id/1qiAw HTTP 301
    https://hamayattibabe.com/wp-admin/network/redirect.php Page URL
  3. https://civiltob.com/redirect.php Page URL
  4. https://coinbase.21989-4491.s2.webspace.re/coinbase HTTP 301
    https://coinbase.21989-4491.s2.webspace.re/coinbase/ Page URL

Page Statistics

9
Requests

100 %
HTTPS

0 %
IPv6

6
Domains

6
Subdomains

4
IPs

3
Countries

22 kB
Transfer

117 kB
Size

1
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://t.co/sA71Xl5qV7 Page URL
  2. https://rebrand.ly/353f98 HTTP 301
    https://s.id/1qiAw HTTP 301
    https://hamayattibabe.com/wp-admin/network/redirect.php Page URL
  3. https://civiltob.com/redirect.php Page URL
  4. https://coinbase.21989-4491.s2.webspace.re/coinbase HTTP 301
    https://coinbase.21989-4491.s2.webspace.re/coinbase/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 1
  • https://rebrand.ly/353f98 HTTP 301
  • https://s.id/1qiAw HTTP 301
  • https://hamayattibabe.com/wp-admin/network/redirect.php

9 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
sA71Xl5qV7
t.co/ 		230 B
550 B 		Document
General
Check archive.org
Download Go to
Full URL
https://t.co/sA71Xl5qV7
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER, US),
Reverse DNS
Software
tsa_o /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Xss-Protection 0

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36
accept-language
nl-NL,nl;q=0.9

Response headers

cache-control
private,max-age=300
content-encoding
gzip
content-length
177
content-type
text/html; charset=utf-8
date
Mon, 28 Nov 2022 15:57:42 GMT
expires
Mon, 28 Nov 2022 16:02:43 GMT
perf
7626143928
server
tsa_o
strict-transport-security
max-age=0
vary
Origin
x-connection-hash
537e8ad76b872ce1f89f2d8c55115c346ce11cc4de73b4687fc2e7412c74cd23
x-response-time
120
x-transaction-id
ede7ce6dfba70698
x-xss-protection
0
redirect.php
hamayattibabe.com/wp-admin/network/
Redirect Chain
  • https://rebrand.ly/353f98
  • https://s.id/1qiAw
  • https://hamayattibabe.com/wp-admin/network/redirect.php
132 B
351 B 		Document
General
Check archive.org
Download Go to
Full URL
https://hamayattibabe.com/wp-admin/network/redirect.php
Requested by
Host: t.co
URL: https://t.co/sA71Xl5qV7
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
185.239.208.33 Düsseldorf, Germany, ASN51167 (CONTABO, DE),
Reverse DNS
ip-33-208-239-185.static.contabo.net
Software
LiteSpeed /
Resource Hash
52a568e3e947c4c2f2b6465c40e72e3309b4231483cc8efe45e90ff541a63867

Request headers

Referer
https://t.co/sA71Xl5qV7
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36
accept-language
nl-NL,nl;q=0.9

Response headers

alt-svc
h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
content-encoding
br
content-length
108
content-type
text/html; charset=UTF-8
date
Mon, 28 Nov 2022 15:57:45 GMT
server
LiteSpeed
vary
Accept-Encoding

Redirect headers

cache-control
private, max-age=30
content-length
90
content-type
text/html; charset=utf-8
date
Mon, 28 Nov 2022 15:57:45 GMT
location
https://hamayattibabe.com/wp-admin/network/redirect.php
strict-transport-security
max-age=15724800; includeSubDomains
redirect.php
civiltob.com/ 		150 B
357 B 		Document
General
Check archive.org
Download Go to
Full URL
https://civiltob.com/redirect.php
Protocol
HTTP/1.1
Security
TLS 1.3, , AES_128_GCM
Server
173.212.219.206 Nuremberg, Germany, ASN51167 (CONTABO, DE),
Reverse DNS
ns2021.itlinks.com
Software
Apache /
Resource Hash
aa2065c6fb56ac6f31cdaf34a9a6fe13f3485e4d838dce9f1b8a343c48f77096

Request headers

Referer
https://hamayattibabe.com/
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36
accept-language
nl-NL,nl;q=0.9

Response headers

Connection
Keep-Alive
Content-Type
text/html; charset=UTF-8
Date
Mon, 28 Nov 2022 15:57:45 GMT
Keep-Alive
timeout=5, max=100
Server
Apache
Transfer-Encoding
chunked
Primary Request /
coinbase.21989-4491.s2.webspace.re/coinbase/
Redirect Chain
  • https://coinbase.21989-4491.s2.webspace.re/coinbase
  • https://coinbase.21989-4491.s2.webspace.re/coinbase/
23 KB
4 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://coinbase.21989-4491.s2.webspace.re/coinbase/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
91.218.65.223 Frankfurt am Main, Germany, ASN44486 (SYNLINQ synlinq.de, DE),
Reverse DNS
plesk2.living-bots.net
Software
nginx / PleskLin
Resource Hash
58333a57c77dad21287553e5fa45f9a05fb83cb790d1089e9c7da02d62b97624

Request headers

Referer
https://civiltob.com/redirect.php
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36
accept-language
nl-NL,nl;q=0.9

Response headers

content-encoding
br
content-type
text/html
date
Mon, 28 Nov 2022 15:57:46 GMT
etag
W/"6380a6de-5aa0"
last-modified
Fri, 25 Nov 2022 11:28:30 GMT
server
nginx
x-powered-by
PleskLin

Redirect headers

content-length
345
content-type
text/html; charset=iso-8859-1
date
Mon, 28 Nov 2022 15:57:46 GMT
location
https://coinbase.21989-4491.s2.webspace.re/coinbase/
server
nginx
x-powered-by
PleskLin
styles.c153074692ca2188139d.css
coinbase.21989-4491.s2.webspace.re/coinbase/css/ 		92 KB
16 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.c153074692ca2188139d.css
Requested by
Host: coinbase.21989-4491.s2.webspace.re
URL: https://coinbase.21989-4491.s2.webspace.re/coinbase/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
91.218.65.223 Frankfurt am Main, Germany, ASN44486 (SYNLINQ synlinq.de, DE),
Reverse DNS
plesk2.living-bots.net
Software
nginx / PleskLin
Resource Hash
4ea4fc23020f83f6b59f58c76339205524ad38faa076dc5ed2de271b9913d6ef

Request headers

accept-language
nl-NL,nl;q=0.9
Referer
https://coinbase.21989-4491.s2.webspace.re/coinbase/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36

Response headers

date
Mon, 28 Nov 2022 15:57:46 GMT
content-encoding
br
last-modified
Thu, 06 Oct 2022 10:59:52 GMT
server
nginx
etag
W/"633eb528-16ef5"
x-powered-by
PleskLin
content-type
text/css
styles.f41b97d53666de9b764b.css
coinbase.21989-4491.s2.webspace.re/coinbase/css/ 		2 KB
545 B 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.f41b97d53666de9b764b.css
Requested by
Host: coinbase.21989-4491.s2.webspace.re
URL: https://coinbase.21989-4491.s2.webspace.re/coinbase/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
91.218.65.223 Frankfurt am Main, Germany, ASN44486 (SYNLINQ synlinq.de, DE),
Reverse DNS
plesk2.living-bots.net
Software
nginx / PleskLin
Resource Hash
3599d0d1a71ca5e56f6b6ff4018ce913e25cf503a5c076f47ba95a9478f8d665

Request headers

accept-language
nl-NL,nl;q=0.9
Referer
https://coinbase.21989-4491.s2.webspace.re/coinbase/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36

Response headers

date
Mon, 28 Nov 2022 15:57:46 GMT
content-encoding
br
last-modified
Thu, 06 Oct 2022 10:59:52 GMT
server
nginx
etag
W/"633eb528-70c"
x-powered-by
PleskLin
content-type
text/css
8a6a40a08f92d9a9b3e5.woff2
coinbase.21989-4491.s2.webspace.re/static/ 		0
0 		Font
General
Check archive.org
Download Go to
Full URL
https://coinbase.21989-4491.s2.webspace.re/static/8a6a40a08f92d9a9b3e5.woff2
Requested by
Host: coinbase.21989-4491.s2.webspace.re
URL: https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.c153074692ca2188139d.css
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
91.218.65.223 Frankfurt am Main, Germany, ASN44486 (SYNLINQ synlinq.de, DE),
Reverse DNS
plesk2.living-bots.net
Software
nginx /
Resource Hash

Request headers

Referer
https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.c153074692ca2188139d.css
Origin
https://coinbase.21989-4491.s2.webspace.re
accept-language
nl-NL,nl;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36

Response headers

date
Mon, 28 Nov 2022 15:57:46 GMT
content-encoding
br
last-modified
Sat, 19 Nov 2022 09:30:32 GMT
server
nginx
etag
W/"328-5edcf7946d9ea"
content-type
text/html
71371380d08a07cda58a.woff2
coinbase.21989-4491.s2.webspace.re/static/ 		0
0 		Font
General
Check archive.org
Download Go to
Full URL
https://coinbase.21989-4491.s2.webspace.re/static/71371380d08a07cda58a.woff2
Requested by
Host: coinbase.21989-4491.s2.webspace.re
URL: https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.c153074692ca2188139d.css
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
91.218.65.223 Frankfurt am Main, Germany, ASN44486 (SYNLINQ synlinq.de, DE),
Reverse DNS
plesk2.living-bots.net
Software
nginx /
Resource Hash

Request headers

Referer
https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.c153074692ca2188139d.css
Origin
https://coinbase.21989-4491.s2.webspace.re
accept-language
nl-NL,nl;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36

Response headers

date
Mon, 28 Nov 2022 15:57:46 GMT
content-encoding
br
last-modified
Sat, 19 Nov 2022 09:30:32 GMT
server
nginx
etag
W/"328-5edcf7946d9ea"
content-type
text/html
502b733210ea3fdd4bf8.woff2
coinbase.21989-4491.s2.webspace.re/static/ 		0
0 		Font
General
Check archive.org
Download Go to
Full URL
https://coinbase.21989-4491.s2.webspace.re/static/502b733210ea3fdd4bf8.woff2
Requested by
Host: coinbase.21989-4491.s2.webspace.re
URL: https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.c153074692ca2188139d.css
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
91.218.65.223 Frankfurt am Main, Germany, ASN44486 (SYNLINQ synlinq.de, DE),
Reverse DNS
plesk2.living-bots.net
Software
nginx /
Resource Hash

Request headers

Referer
https://coinbase.21989-4491.s2.webspace.re/coinbase/css/styles.c153074692ca2188139d.css
Origin
https://coinbase.21989-4491.s2.webspace.re
accept-language
nl-NL,nl;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.121 Safari/537.36

Response headers

date
Mon, 28 Nov 2022 15:57:46 GMT
content-encoding
br
last-modified
Sat, 19 Nov 2022 09:30:32 GMT
server
nginx
etag
W/"328-5edcf7946d9ea"
content-type
text/html

Verdicts & Comments Add Verdict or Comment

Malicious page.domain
Submitted on November 28th 2022, 3:59:18 pm UTC — From Netherlands

Threats: Phishing
Brands: Coinbase US
Comment: Phishing for crypto seed wallet recovery phrase

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

0 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Domain/Path Name / Value
.t.co/ Name: muc
Value: fcbd5638-3706-4338-ab8c-43cd273af5b6

3 Console Messages

Source Level URL
Text
network error URL: https://coinbase.21989-4491.s2.webspace.re/static/71371380d08a07cda58a.woff2
Message:
Failed to load resource: the server responded with a status of 404 ()
network error URL: https://coinbase.21989-4491.s2.webspace.re/static/8a6a40a08f92d9a9b3e5.woff2
Message:
Failed to load resource: the server responded with a status of 404 ()
network error URL: https://coinbase.21989-4491.s2.webspace.re/static/502b733210ea3fdd4bf8.woff2
Message:
Failed to load resource: the server responded with a status of 404 ()

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header Value
Strict-Transport-Security max-age=0
X-Xss-Protection 0