user.fm - urlscan.io

Summary

This website contacted 3 IPs in 2 countries across 3 domains to perform 2 HTTP transactions. The main IP is 103.168.172.56, located in Bound Brook, United States and belongs to CLOUDFLARESPECTRUM Cloudflare, Inc., US. The main domain is user.fm. The Cisco Umbrella rank of the primary domain is 590172.
TLS certificate: Issued by DigiCert Global G2 TLS RSA SHA256 202... on June 9th 2023. Valid for: a year.

This is the only time user.fm was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Microsoft (Consumer)

Domain & IP information

	IP Address	AS Autonomous System
1 1	2606:4700:10:... 2606:4700:10::ac43:8ee	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	103.168.172.56 103.168.172.56	209242 (CLOUDFLAR...) (CLOUDFLARESPECTRUM Cloudflare)
1	85.92.70.129 85.92.70.129	34282 (UKNOC-AS) (UKNOC-AS)
2	3

1 2606:4700:10::ac43:8ee (United States) 1 redirects

ASN13335 (CLOUDFLARENET, US)

cutt.ly	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 103.168.172.56 (Bound Brook, United States)

ASN209242 (CLOUDFLARESPECTRUM Cloudflare, Inc., US)
PTR: user.fm

user.fm	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 85.92.70.129 (United Kingdom)

ASN34282 (UKNOC-AS, GB)
PTR: gekkoshot.co.uk

mccarpetsandbeds.co.uk	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
1	mccarpetsandbeds.co.uk mccarpetsandbeds.co.uk	10 KB
1	user.fm user.fm — Cisco Umbrella Rank: 590172	493 B
1	cutt.ly 1 redirects cutt.ly — Cisco Umbrella Rank: 78789	421 B
2	3

	Domain	Requested by
1	mccarpetsandbeds.co.uk	user.fm
1	user.fm
1	cutt.ly	1 redirects
2	3

This site contains no links.

Subject Issuer	Validity	Valid
*.user.fm DigiCert Global G2 TLS RSA SHA256 2020 CA1	`2023-06-09` - `2024-07-02`	a year	crt.sh
*.mccarpetsandbeds.co.uk R3	`2023-10-17` - `2024-01-15`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm
Frame ID: 105E4E6DA0C3D97EC64FD5F1444905DE
Requests: 5 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Sign in to your Account

Page URL History Show full URLs

https://cutt.ly/BwYgYrF8 HTTP 301
https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm Page URL

Page Statistics

2
Requests

100 %
HTTPS

33 %
IPv6

3
Domains

3
Subdomains

3
IPs

2
Countries

11 kB
Transfer

22 kB
Size

1
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://cutt.ly/BwYgYrF8 HTTP 301
https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

2 HTTP transactions
3 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request view.htm Show response user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/ Redirect Chain https://cutt.ly/BwYgYrF8 https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm	308 B 493 B	495ms 137ms	Document text/html	103.168.172.56 CLOUDFLARESPECTRU...
General Check archive.org Show headers Download Go to Full URL https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm Protocol H2 Security TLS 1.3, , AES_128_GCM Server 103.168.172.56 Bound Brook, United States, ASN209242 (CLOUDFLARESPECTRUM Cloudflare, Inc., US), Reverse DNS user.fm Software nginx / Resource Hash `015924f43752c953c054de5ba67137c92b4cceac169db1829e517071289a049f` Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 accept-language de-DE,de;q=0.9 Response headers cache-control max-age=60 content-disposition inline; filename="view.htm"; filename=UTF-8''view.htm content-encoding* br content-type text/html; charset=utf-8 date Thu, 16 Nov 2023 09:19:50 GMT last-modified Mon, 13 Nov 2023 10:31:12 GMT server nginx x-backend web3 x-frontend frontend2 x-robots-tag noindex, nofollow x-trace-id ti_ee3b1c846ed47ca5abc8744da1d67aee Redirect headers alt-svc h3=":443"; ma=86400 cache-control no-cache, no-store, must-revalidate cf-cache-status DYNAMIC cf-ray 826ea790efdb994b-FRA content-type text/html; charset=UTF-8 date Thu, 16 Nov 2023 09:19:49 GMT expires Thu, 19 Nov 1981 08:52:00 GMT location https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm pragma no-cache referrer-policy same-origin server cloudflare strict-transport-security max-age=15552000; includeSubDomains; preload x-content-type-options nosniff x-frame-options SAMEORIGIN x-xss-protection 1; mode=block
GET H2	200	hotmail.js Show response mccarpetsandbeds.co.uk/wp-admin/	17 KB 10 KB	180ms 48ms	Script application/javascript	85.92.70.129 UKNOC-AS
General Check archive.org Show headers Download Go to Full URL https://mccarpetsandbeds.co.uk/wp-admin/hotmail.js Requested by Host: user.fm URL: https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm Protocol H2 Security TLS 1.3, , AES_128_GCM Server 85.92.70.129 , United Kingdom, ASN34282 (UKNOC-AS, GB), Reverse DNS gekkoshot.co.uk Software LiteSpeed / Resource Hash `223365dff8f870e74c0e57a9a4b9f607b4ae751b24c5e36038cb9a3e9b923816` Request headers Referer https://user.fm/ accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 Intervention <https://www.chromestatus.com/feature/5718547946799104>; level="warning" Response headers date Thu, 16 Nov 2023 09:19:50 GMT content-encoding br last-modified Sun, 12 Nov 2023 22:20:04 GMT server LiteSpeed vary Accept-Encoding content-type application/javascript cache-control public, max-age=604800 accept-ranges bytes alt-svc h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" content-length 10002 expires Thu, 23 Nov 2023 09:19:50 GMT
GET DATA	200 OK	truncated /	1023 B 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `634990d96028ad5f0417e406482eec1c5325cf0dcb738601514a929b1807b70d` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	1 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `60a046fd6f8c4d5097f12dd4effd486bcf95a6118cbb03bfc174139ecb710f36` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	2 KB 0		Image image/svg+xml
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `0e88b6fcbb8591edfd28184fa70a04b6dd3af8a14367c628edd7caba32e58c68` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 Response headers Content-Type image/svg+xml

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Microsoft (Consumer)

8 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			cutt.ly/	1969-12-31 23:59:59	Name: PHPSESSID Value: phlp8kqd3apnd7pjkun4f5rnn1

2 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
javascript	warning	URL: https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm(Line 5) Message: A parser-blocking, cross site (i.e. different eTLD+1) script, https://mccarpetsandbeds.co.uk/wp-admin/hotmail.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
javascript	warning	URL: https://user.fm/files/v2-278b27f6c9212fffcfd8cc7d003999d1/view.htm(Line 5) Message: A parser-blocking, cross site (i.e. different eTLD+1) script, https://mccarpetsandbeds.co.uk/wp-admin/hotmail.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

cutt.ly
mccarpetsandbeds.co.uk
user.fm
103.168.172.56
2606:4700:10::ac43:8ee
85.92.70.129
015924f43752c953c054de5ba67137c92b4cceac169db1829e517071289a049f
0e88b6fcbb8591edfd28184fa70a04b6dd3af8a14367c628edd7caba32e58c68
223365dff8f870e74c0e57a9a4b9f607b4ae751b24c5e36038cb9a3e9b923816
60a046fd6f8c4d5097f12dd4effd486bcf95a6118cbb03bfc174139ecb710f36
634990d96028ad5f0417e406482eec1c5325cf0dcb738601514a929b1807b70d

user.fm Open in urlscan Pro 103.168.172.56 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Page Statistics

2 Requests

100 %HTTPS

33 %IPv6

3 Domains

3 Subdomains

3 IPs

2 Countries

11 kBTransfer

22 kBSize

1 Cookies

0 Outgoing links

Page URL History

Redirected requests

2 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 3 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

8 JavaScript Global Variables

1 Cookies

2 Console Messages

Indicators

user.fm Open in urlscan Pro
103.168.172.56 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

2
Requests

100 %
HTTPS

33 %
IPv6

3
Domains

3
Subdomains

3
IPs

2
Countries

11 kB
Transfer

22 kB
Size

1
Cookies

2 HTTP transactions
3 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!