mericanxpress.ga - urlscan.io

Summary

This website contacted 2 IPs in 2 countries across 2 domains to perform 6 HTTP transactions. The main IP is 45.122.138.250, located in Mong Kok, Hong Kong and belongs to GGL-AS-AP Guochao Group limited, HK. The main domain is mericanxpress.ga.
TLS certificate: Issued by cPanel, Inc. Certification Authority on June 5th 2018. Valid for: 3 months.

This is the only time mericanxpress.ga was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: American Express (Financial)

Domain & IP information

	IP Address	AS Autonomous System
1	91.231.86.145 91.231.86.145	197726 (UKRNAMES-AS) (UKRNAMES-AS)
5	45.122.138.250 45.122.138.250	132742 (GGL-AS-AP...) (GGL-AS-AP Guochao Group limited)
6	2

1 91.231.86.145 (Ukraine)

ASN197726 (UKRNAMES-AS, UA)
PTR: 91.231.86.145.ip.ukrnames.com

polygraphia.com.ua	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

5 45.122.138.250 (Mong Kok, Hong Kong)

ASN132742 (GGL-AS-AP Guochao Group limited, HK)

mericanxpress.ga	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	mericanxpress.ga mericanxpress.ga	344 KB
1	polygraphia.com.ua polygraphia.com.ua	665 B
6	2

	Domain	Requested by
5	mericanxpress.ga	mericanxpress.ga
1	polygraphia.com.ua
6	2

This site contains no links.

Subject Issuer	Validity	Valid
polygraphia.com.ua Certum Domain Validation CA SHA2	`2018-01-23` - `2019-01-23`	a year	crt.sh
mericanxpress.ga cPanel, Inc. Certification Authority	`2018-06-05` - `2018-09-03`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd
Frame ID: 8ED0C9EBBA3B12D1787B4EA0A4738651
Requests: 6 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page URL History Show full URLs

https://polygraphia.com.ua/surf/direct.html Page URL
https://mericanxpress.ga/part.tsl/american2/american/express/index.html Page URL
https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/Applicat... Page URL

Detected technologies

Apache (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /(?:Apache(?:$|\/([\d.]+)|[^\/-])|(?:^|)HTTPD)/i

Page Statistics

6
Requests

100 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

2
IPs

2
Countries

345 kB
Transfer

343 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://polygraphia.com.ua/surf/direct.html Page URL
https://mericanxpress.ga/part.tsl/american2/american/express/index.html Page URL
https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

6 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	direct.html Show response polygraphia.com.ua/surf/	423 B 665 B	136ms 43ms	Document text/html	91.231.86.145 UKRNAMES-AS
General Check archive.org Show headers Download Go to Full URL https://polygraphia.com.ua/surf/direct.html Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 91.231.86.145 , Ukraine, ASN197726 (UKRNAMES-AS, UA), Reverse DNS 91.231.86.145.ip.ukrnames.com Software Apache / Resource Hash `a0939772a6fe902c780084a8f129fbbeb9f7813745b88912eb3455b2606349be` Request headers Host polygraphia.com.ua Connection keep-alive Pragma no-cache Cache-Control no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Encoding gzip, deflate Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 X-DevTools-Emulate-Network-Conditions-Client-Id 8ED0C9EBBA3B12D1787B4EA0A4738651 Response headers Date Wed, 06 Jun 2018 12:51:42 GMT Server Apache Last-Modified Wed, 06 Jun 2018 12:20:34 GMT Accept-Ranges bytes Content-Length 423 Keep-Alive timeout=5, max=100 Connection Keep-Alive Content-Type text/html
GET H/1.1	200 OK	index.html Show response mericanxpress.ga/part.tsl/american2/american/express/	176 B 418 B	1353ms 257ms	Document text/html	45.122.138.250 GGL-AS-AP Guochao...
General Check archive.org Show headers Download Go to Full URL https://mericanxpress.ga/part.tsl/american2/american/express/index.html Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 45.122.138.250 Mong Kok, Hong Kong, ASN132742 (GGL-AS-AP Guochao Group limited, HK), Reverse DNS Software Apache / Resource Hash `6e74ff229922536351383f8c1df663583dfe086f9c0016843b99388ae3b9c8c0` Request headers Host mericanxpress.ga Connection keep-alive Pragma no-cache Cache-Control no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer https://polygraphia.com.ua/surf/direct.html Accept-Encoding gzip, deflate Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 X-DevTools-Emulate-Network-Conditions-Client-Id 8ED0C9EBBA3B12D1787B4EA0A4738651 Referer https://polygraphia.com.ua/surf/direct.html Response headers Date Wed, 06 Jun 2018 12:52:24 GMT Server Apache Last-Modified Mon, 30 Apr 2018 04:55:30 GMT Accept-Ranges bytes Content-Length 176 Keep-Alive timeout=5, max=100 Connection Keep-Alive Content-Type text/html
GET H/1.1	200 OK	Primary Request index1.html Show response mericanxpress.ga/part.tsl/american2/american/express/	2 KB 2 KB	258ms 257ms	Document text/html	45.122.138.250 GGL-AS-AP Guochao...
General Check archive.org Show headers Download Go to Full URL https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 45.122.138.250 Mong Kok, Hong Kong, ASN132742 (GGL-AS-AP Guochao Group limited, HK), Reverse DNS Software Apache / Resource Hash `c6078f244d572e804e0f916d1a1196fb696c15a75e193798169ba5ccb34cc8dd` Request headers Host mericanxpress.ga Connection keep-alive Pragma no-cache Cache-Control no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer https://mericanxpress.ga/part.tsl/american2/american/express/index.html Accept-Encoding gzip, deflate Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 X-DevTools-Emulate-Network-Conditions-Client-Id 8ED0C9EBBA3B12D1787B4EA0A4738651 Referer https://mericanxpress.ga/part.tsl/american2/american/express/index.html Response headers Date Wed, 06 Jun 2018 12:52:25 GMT Server Apache Last-Modified Mon, 30 Apr 2018 04:56:52 GMT Accept-Ranges bytes Content-Length 1746 Keep-Alive timeout=5, max=99 Connection Keep-Alive Content-Type text/html
GET H/1.1	200 OK	me1688.png mericanxpress.ga/part.tsl/american2/american/express/images/	310 KB 310 KB	258ms 258ms	Image image/png	45.122.138.250 GGL-AS-AP Guochao...
General Check archive.org Show headers Download Go to Show image Full URL https://mericanxpress.ga/part.tsl/american2/american/express/images/me1688.png Requested by Host: mericanxpress.ga URL: https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 45.122.138.250 Mong Kok, Hong Kong, ASN132742 (GGL-AS-AP Guochao Group limited, HK), Reverse DNS Software Apache / Resource Hash `da8327d9f59a018eb47a319825be15349b97e457f7f9a3a219e0a294b7e5be99` Request headers Pragma no-cache Accept-Encoding gzip, deflate Host mericanxpress.ga User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Accept image/webp,image/apng,image/,/;q=0.8 Referer* https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Connection keep-alive Cache-Control no-cache Referer https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Response headers Date Wed, 06 Jun 2018 12:52:25 GMT Last-Modified Sun, 25 Feb 2018 09:27:54 GMT Server Apache Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=98 Content-Length 317064
GET H/1.1	200 OK	fooie168805.png mericanxpress.ga/part.tsl/american2/american/express/images/	31 KB 31 KB	490ms 245ms	Image image/png	45.122.138.250 GGL-AS-AP Guochao...
General Check archive.org Show headers Download Go to Show image Full URL https://mericanxpress.ga/part.tsl/american2/american/express/images/fooie168805.png Requested by Host: mericanxpress.ga URL: https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 45.122.138.250 Mong Kok, Hong Kong, ASN132742 (GGL-AS-AP Guochao Group limited, HK), Reverse DNS Software Apache / Resource Hash `d2d7deb307604118424fc70b47bc8eaa3f72b6d9b047ad44e9de4f7099bb4611` Request headers Pragma no-cache Accept-Encoding gzip, deflate Host mericanxpress.ga User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Accept image/webp,image/apng,image/,/;q=0.8 Referer* https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Connection keep-alive Cache-Control no-cache Referer https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Response headers Date Wed, 06 Jun 2018 12:52:25 GMT Last-Modified Sat, 13 Jan 2018 07:59:16 GMT Server Apache Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 31331
GET H/1.1	200 OK	si.png mericanxpress.ga/part.tsl/american2/american/express/images/	735 B 977 B	788ms 264ms	Image image/png	45.122.138.250 GGL-AS-AP Guochao...
General Check archive.org Show headers Download Go to Show image Full URL https://mericanxpress.ga/part.tsl/american2/american/express/images/si.png Requested by Host: mericanxpress.ga URL: https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 45.122.138.250 Mong Kok, Hong Kong, ASN132742 (GGL-AS-AP Guochao Group limited, HK), Reverse DNS Software Apache / Resource Hash `63fff8718c729966bb7428cf1cf18261d80ac9717952a9bf8da6203e740e6796` Request headers Pragma no-cache Accept-Encoding gzip, deflate Host mericanxpress.ga User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Accept image/webp,image/apng,image/,/;q=0.8 Referer* https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd Connection keep-alive Cache-Control no-cache Referer https://mericanxpress.ga/part.tsl/american2/american/express/index1.html?sign&accountopening/ApplicationStartup/Application$update=&cookiecheck/yes&destinpage&fefdd User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/66.0.3359.139 Safari/537.36 Response headers Date Wed, 06 Jun 2018 12:52:25 GMT Last-Modified Sun, 25 Feb 2018 09:17:28 GMT Server Apache Content-Type image/png Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 735

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: American Express (Financial)

1 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

function| unhideBody

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

mericanxpress.ga
polygraphia.com.ua
45.122.138.250
91.231.86.145
63fff8718c729966bb7428cf1cf18261d80ac9717952a9bf8da6203e740e6796
6e74ff229922536351383f8c1df663583dfe086f9c0016843b99388ae3b9c8c0
a0939772a6fe902c780084a8f129fbbeb9f7813745b88912eb3455b2606349be
c6078f244d572e804e0f916d1a1196fb696c15a75e193798169ba5ccb34cc8dd
d2d7deb307604118424fc70b47bc8eaa3f72b6d9b047ad44e9de4f7099bb4611
da8327d9f59a018eb47a319825be15349b97e457f7f9a3a219e0a294b7e5be99

mericanxpress.ga Open in urlscan Pro 45.122.138.250 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page URL History Show full URLs

Detected technologies

Page Statistics

6 Requests

100 %HTTPS

0 %IPv6

2 Domains

2 Subdomains

2 IPs

2 Countries

345 kBTransfer

343 kBSize

0 Cookies

0 Outgoing links

Page URL History

Redirected requests

6 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

1 JavaScript Global Variables

0 Cookies

Indicators

mericanxpress.ga Open in urlscan Pro
45.122.138.250 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

6
Requests

100 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

2
IPs

2
Countries

345 kB
Transfer

343 kB
Size

0
Cookies

6 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!