kadima-isetho.de Open in urlscan Pro
2a01:238:20a:202:1166:: Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

URL:
https://kadima-isetho.de/ing/e628a/index.html
Submission: On December 20 via automatic, source openphish (December 20th 2022, 1:28:42 am UTC) — Scanned from DE

Summary HTTP 1 Redirects Links 20 Behaviour Indicators

Summary

This website contacted 2 IPs in 1 countries across 1 domains to perform 1 HTTP transactions. The main IP is 2a01:238:20a:202:1166::, located in Germany and belongs to STRATO STRATO AG, DE. The main domain is kadima-isetho.de.
TLS certificate: Issued by Encryption Everywhere DV TLS CA - G1 on December 19th 2022. Valid for: a year.

This is the only time kadima-isetho.de was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: ING Group (Banking)

Domain & IP information

	IP Address		AS Autonomous System
1	2a01:238:20a:... 2a01:238:20a:202:1166::		6724 (STRATO ST...) (STRATO STRATO AG)
1	2

1 2a01:238:20a:202:1166:: (Germany)

ASN6724 (STRATO STRATO AG, DE)

kadima-isetho.de	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
1	kadima-isetho.de kadima-isetho.de	309 KB
1	1

	Domain	Requested by
1	kadima-isetho.de
1	1

This site contains links to these domains. Also see Links.

Domain
loudljfffr5487d5fegtedg-bc5e7d.ingress-bonde.ewp.live
www.ing.de
access.ing.de
www.youtube.com
www.ing.jobs
www.ingwb.de
produkte.banking.ing.de
www.facebook.com
www.instagram.com

Subject Issuer	Validity	Valid
kadima-isetho.de Encryption Everywhere DV TLS CA - G1	`2022-12-19` - `2023-12-18`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://kadima-isetho.de/ing/e628a/index.html
Frame ID: A8D0EC7854F8D4D9C4E8910B2ADA5439
Requests: 7 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

ING Login

Page Statistics

1
Requests

100 %
HTTPS

100 %
IPv6

1
Domains

1
Subdomains

2
IPs

1
Countries

399 kB
Transfer

459 kB
Size

0
Cookies

20 Outgoing links

These are links going to different origins than the main page.

URL: https://loudljfffr5487d5fegtedg-bc5e7d.ingress-bonde.ewp.live/dezezdezd/delogin/ww/login-t/login.html#navigation
Title: Zur Navigation

Search URL Search Domain Scan URL

URL: https://loudljfffr5487d5fegtedg-bc5e7d.ingress-bonde.ewp.live/dezezdezd/delogin/ww/login-t/login.html#content
Title: Zum Inhalt

Search URL Search Domain Scan URL

URL: https://www.ing.de/
Title: ING DiBa

Search URL Search Domain Scan URL

URL: https://access.ing.de/delogin/w/login?x=sP86wyRx9bvCqxJiM1UndT5f5U1SMA9EV5nbsQviwdgeF2mJoVQCkLQ&t=https://access.ing.de/delogin/oauth/authorize%3Fresponse_type%3Dcode%26client_id%3Dibbr%26scope%3Dbanking%2520paydirekt%2520postlogin%2520tpa%2520openid%26state%3Dhr_uH9T02pSEPzG__73mfNZX6ztrQ39QJxT0RTx4Nyg%253D%26redirect_uri%3Dhttps://banking.ing.de/app/login/oauth2/code/ibbr%26nonce%3D8C685usblh2Si52Dq6N8rGaHmvSzpcpEHkRdZkEi6I0%26claims%3D%257B%2522id_token%2522%253A%257B%2522customer_number%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522partner_number%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522last_login%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522authentication_means%2522%253A%257B%2522essential%2522%253Atrue%257D%257D%257D
Title: Neu bei uns? Jetzt Internetbanking PIN erstellen

Search URL Search Domain Scan URL

URL: https://access.ing.de/delogin/w/login?x=sP86wyRx9bvCqxJiM1UndTzXhEBL8UIwW1r5Mh0qx8boTYZTTswjrSg&t=https://access.ing.de/delogin/oauth/authorize%3Fresponse_type%3Dcode%26client_id%3Dibbr%26scope%3Dbanking%2520paydirekt%2520postlogin%2520tpa%2520openid%26state%3Dhr_uH9T02pSEPzG__73mfNZX6ztrQ39QJxT0RTx4Nyg%253D%26redirect_uri%3Dhttps://banking.ing.de/app/login/oauth2/code/ibbr%26nonce%3D8C685usblh2Si52Dq6N8rGaHmvSzpcpEHkRdZkEi6I0%26claims%3D%257B%2522id_token%2522%253A%257B%2522customer_number%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522partner_number%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522last_login%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522authentication_means%2522%253A%257B%2522essential%2522%253Atrue%257D%257D%257D
Title: Zugangsdaten vergessen?

Search URL Search Domain Scan URL

URL: https://loudljfffr5487d5fegtedg-bc5e7d.ingress-bonde.ewp.live/dezezdezd/delogin/ww/login-t/login.html#js-modal--qr-key-explain
Title: So funktioniert der QR Log-in

Search URL Search Domain Scan URL

URL: https://www.youtube.com/watch?v=_eIru6yatfw
Title: QR Log-in Video-Anleitung

Search URL Search Domain Scan URL

URL: https://access.ing.de/delogin/w/login?x=sP86wyRx9bvCqxJiM1UndTxcEOMEz3WBSUc7BIlIKHMw&t=https://access.ing.de/delogin/oauth/authorize%3Fresponse_type%3Dcode%26client_id%3Dibbr%26scope%3Dbanking%2520paydirekt%2520postlogin%2520tpa%2520openid%26state%3Dhr_uH9T02pSEPzG__73mfNZX6ztrQ39QJxT0RTx4Nyg%253D%26redirect_uri%3Dhttps://banking.ing.de/app/login/oauth2/code/ibbr%26nonce%3D8C685usblh2Si52Dq6N8rGaHmvSzpcpEHkRdZkEi6I0%26claims%3D%257B%2522id_token%2522%253A%257B%2522customer_number%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522partner_number%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522last_login%2522%253A%257B%2522essential%2522%253Atrue%257D%252C%2522authentication_means%2522%253A%257B%2522essential%2522%253Atrue%257D%257D%257D
Title: Anmelden mit QR Log-in

Search URL Search Domain Scan URL

URL: https://www.ing.de/wissen/achtung-phishing/
Title: Artikel

Search URL Search Domain Scan URL

URL: https://www.ing.de/wissen/boiler-room-scam/
Title: hier

Search URL Search Domain Scan URL

URL: https://www.ing.jobs/Deutschland/home.htm
Title: Karriere

Search URL Search Domain Scan URL

URL: https://www.ing.de/ueber-uns/unternehmen/partner/
Title: Vertriebspartner

Search URL Search Domain Scan URL

URL: https://www.ingwb.de/de/home
Title: Wholesale Banking

Search URL Search Domain Scan URL

URL: https://produkte.banking.ing.de/pub/kontaktformular
Title: Kontaktformular

Search URL Search Domain Scan URL

URL: https://www.ing.de/agbib
Title: AGB

Search URL Search Domain Scan URL

URL: https://www.ing.de/datenschutz
Title: Datenschutz

Search URL Search Domain Scan URL

URL: https://www.ing.de/ueber-uns/unternehmen/impressum/
Title: Impressum

Search URL Search Domain Scan URL

URL: https://www.facebook.com/ing.deutschland

Search URL Search Domain Scan URL

URL: https://www.instagram.com/ing.deutschland/

Search URL Search Domain Scan URL

URL: https://www.youtube.com/c/ing_de

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

1 HTTP transactions
6 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2 200 Primary Request index.html Show response
kadima-isetho.de/ing/e628a/ 307 KB
309 KB 63ms
20ms Document
text/html 2a01:238:20a:202:1166::
STRATO STRATO AG

General

Check archive.org

Show headers Download Go to

Full URL

https://kadima-isetho.de/ing/e628a/index.html

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

2a01:238:20a:202:1166:: , Germany, ASN6724 (STRATO STRATO AG, DE),

Reverse DNS

Software

Apache/2.4.54 (Unix) /

Resource Hash

f4777b7a3b29aba8928cb11b2eb8977c7a4d215000df814668f9dd49495f56a1

Security Headers

Name	Value
X-Content-Type-Options	nosniff

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.124 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

accept-ranges: bytes
cache-control: max-age=1209600
content-length: 314337
content-type: text/html
date: Tue, 20 Dec 2022 01:28:37 GMT
etag: "4cbe1-5f034ac1f528a"
expires: Tue, 03 Jan 2023 01:28:37 GMT
last-modified: Mon, 19 Dec 2022 21:05:00 GMT
server: Apache/2.4.54 (Unix)
x-content-type-options: nosniff

GET
DATA 200
OK truncated
/ 2 KB
0 Image
image/svg+xml

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 1470546a5f8d7a68deb045a9f3be48c3fa818c53c0b4f8c854d6acdec64aa225

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.124 Safari/537.36

Response headers

Content-Type: image/svg+xml

GET
DATA 200
OK truncated
/ 44 KB
0 Image
image/png

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: fb6ebe23316c03fd8d25e871bfdd9c41eb77e14115f5a01e3e0d97b94617779e

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.124 Safari/537.36

Response headers

Content-Type: image/png

GET
DATA 200
OK truncated
/ 16 KB
0 Image
image/svg+xml

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 9a214e9df938fbc09d96e47ae4dbe031d7a581647a87c38ec371bc2a2d4dc7cf

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.124 Safari/537.36

Response headers

Content-Type: image/svg+xml

GET
DATA 200
OK truncated
/ 30 KB
30 KB Font
application/octet-stream

General

Check archive.org

Show headers Download Go to

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 3a135f82b209a59959b162a1fbc9b0b38856d1332af286f86046b06357b3811e

Request headers

Referer
Origin: https://kadima-isetho.de
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.124 Safari/537.36

Response headers

Content-Type: application/octet-stream

GET
DATA 200
OK truncated
/ 29 KB
29 KB Font
application/octet-stream

General

Check archive.org

Show headers Download Go to

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: f74c344733a85af20d2754b208f12309e2a30c591795d0881cb0ad94c4be6155

Request headers

Referer
Origin: https://kadima-isetho.de
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.124 Safari/537.36

Response headers

Content-Type: application/octet-stream

GET
DATA 200
OK truncated
/ 32 KB
32 KB Font
application/font-woff

General

Check archive.org

Show headers Download Go to

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 305948d72ce8577a386f77079dacdb6841f18668f64cc7865a196a0624e5b5a8

Request headers

Referer
Origin: https://kadima-isetho.de
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.124 Safari/537.36

Response headers

Content-Type: application/font-woff

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: ING Group (Banking)

2 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| 0 object| oncontentvisibilityautostatechange

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

1 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
security	error	URL: https://kadima-isetho.de/ing/e628a/index.html(Line 281) Message: Refused to frame 'https://kadima-isetho.de/ing/e628a/ING%20Login_files/saved_resource.html' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
X-Content-Type-Options	nosniff

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

kadima-isetho.de
2a01:238:20a:202:1166::
1470546a5f8d7a68deb045a9f3be48c3fa818c53c0b4f8c854d6acdec64aa225
305948d72ce8577a386f77079dacdb6841f18668f64cc7865a196a0624e5b5a8
3a135f82b209a59959b162a1fbc9b0b38856d1332af286f86046b06357b3811e
9a214e9df938fbc09d96e47ae4dbe031d7a581647a87c38ec371bc2a2d4dc7cf
f4777b7a3b29aba8928cb11b2eb8977c7a4d215000df814668f9dd49495f56a1
f74c344733a85af20d2754b208f12309e2a30c591795d0881cb0ad94c4be6155
fb6ebe23316c03fd8d25e871bfdd9c41eb77e14115f5a01e3e0d97b94617779e

kadima-isetho.de Open in urlscan Pro 2a01:238:20a:202:1166:: Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page Statistics

1 Requests

100 %HTTPS

100 %IPv6

1 Domains

1 Subdomains

2 IPs

1 Countries

399 kBTransfer

459 kBSize

0 Cookies

20 Outgoing links

Redirected requests

1 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 6 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

2 JavaScript Global Variables

0 Cookies

1 Console Messages

Security Headers

Indicators

kadima-isetho.de Open in urlscan Pro
2a01:238:20a:202:1166:: Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

1
Requests

100 %
HTTPS

100 %
IPv6

1
Domains

1
Subdomains

2
IPs

1
Countries

399 kB
Transfer

459 kB
Size

0
Cookies

1 HTTP transactions
6 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!