removepayee-natwest.com Open in urlscan Pro
2606:4700:3031::681f:41fd Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://removepayee-natwest.com/
Effective URL:
https://removepayee-natwest.com/Login.php
Submission: On December 07 via automatic, source certstream-suspicious (December 7th 2020, 6:23:34 pm UTC)

Summary HTTP 17 Redirects Links 23 Behaviour Indicators

Summary

This website contacted 1 IPs in 1 countries across 1 domains to perform 17 HTTP transactions. The main IP is 2606:4700:3031::681f:41fd, located in United States and belongs to CLOUDFLARENET, US. The main domain is removepayee-natwest.com.
TLS certificate: Issued by Cloudflare Inc ECC CA-3 on December 7th 2020. Valid for: a year.

This is the only time removepayee-natwest.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: NatWest (Banking)

Domain & IP information

	IP Address		AS Autonomous System
1 18	2606:4700:303... 2606:4700:3031::681f:41fd		13335 (CLOUDFLAR...) (CLOUDFLARENET)
17	1

18 2606:4700:3031::681f:41fd (United States) 1 redirects

ASN13335 (CLOUDFLARENET, US)

removepayee-natwest.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
18	removepayee-natwest.com 1 redirects removepayee-natwest.com	207 KB
17	1

	Domain	Requested by
18	removepayee-natwest.com	1 redirects removepayee-natwest.com
17	1

This site contains links to these domains. Also see Links.

Domain
www.nwolb.com
www.natwest.com
personal.natwest.com
onetrust.com

Subject Issuer	Validity	Valid
sni.cloudflaressl.com Cloudflare Inc ECC CA-3	`2020-12-07` - `2021-12-06`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://removepayee-natwest.com/Login.php
Frame ID: FBF18EE0C05700FBA5241A1D6F94DF43
Requests: 17 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page URL History Show full URLs

https://removepayee-natwest.com/ HTTP 302
https://removepayee-natwest.com/Login.php Page URL

Detected technologies

CloudFlare (CDN) Expand

Overall confidence: 100%
Detected patterns

headers server /^cloudflare$/i

Page Statistics

17
Requests

100 %
HTTPS

100 %
IPv6

1
Domains

1
Subdomains

1
IPs

1
Countries

207 kB
Transfer

851 kB
Size

1
Cookies

23 Outgoing links

These are links going to different origins than the main page.

URL: https://www.nwolb.com/login.aspx
Title: Return to start of screen / Access key details

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/login.aspx#menu
Title: Skip to Menu

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/login.aspx#content
Title: Skip to main content

Search URL Search Domain Scan URL

URL: https://www.natwest.com/premier
Title: Premier

Search URL Search Domain Scan URL

URL: https://www.natwest.com/business.ashx
Title: Business

Search URL Search Domain Scan URL

URL: https://www.natwest.com/corporate
Title: Corporate

Search URL Search Domain Scan URL

URL: https://www.natwest.com/international.ashx
Title: International

Search URL Search Domain Scan URL

URL: https://www.natwest.com/
Title:

Search URL Search Domain Scan URL

URL: https://www.natwest.com/AOhome
Title: Products

Search URL Search Domain Scan URL

URL: https://www.natwest.com/AOsupport
Title: Support

Search URL Search Domain Scan URL

URL: https://www.natwest.com/AOlifemoments
Title: Life Moments

Search URL Search Domain Scan URL

URL: https://www.natwest.com/onlineguide
Title: Show me how to…

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/Login.aspx
Title: Log in

Search URL Search Domain Scan URL

URL: https://personal.natwest.com/personal/fraud-and-security/fraud-guide/telephone-fraud.html
Title:

Search URL Search Domain Scan URL

URL: https://www.natwest.com/FSCSbrochure
Title:

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/help.aspx?id=CN1
Title: Forgotten your customer number?

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/Default.aspx?InnerPage=OLE
Title: Sign up here

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/TermsAndConditions.aspx
Title: Legal Info

Search URL Search Domain Scan URL

URL: https://www.natwest.com/tools/general/nwolb_legals/security.htm
Title: Security

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/cookiesPolicy.aspx
Title: Privacy & Cookies

Search URL Search Domain Scan URL

URL: https://www.natwest.com/tools/general/nwolb_legals/accessibility.htm
Title: Accessibility

Search URL Search Domain Scan URL

URL: https://onetrust.com/poweredbyonetrust

Search URL Search Domain Scan URL

URL: https://www.nwolb.com/login.aspx?refererIdent=C0D374D305343333CF060729101BCF4318355E81&CookieCheck=2020-08-19T15:28:42
Title: View Privacy Notice

Search URL Search Domain Scan URL

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://removepayee-natwest.com/ HTTP 302
https://removepayee-natwest.com/Login.php Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

17 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request Login.php Show response removepayee-natwest.com/ Redirect Chain https://removepayee-natwest.com/ https://removepayee-natwest.com/Login.php	247 KB 32 KB	719ms 719ms	Document text/html	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / PHP/7.2.34 Resource Hash `83d90f4e2f00008b7780f222b2f6f5347e062b0ec0979ab20fe2a07ffaf5b2e4` Request headers :method GET :authority removepayee-natwest.com :scheme https :path /Login.php pragma no-cache cache-control no-cache upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site none sec-fetch-mode navigate sec-fetch-user ?1 sec-fetch-dest document accept-encoding gzip, deflate, br accept-language en-US cookie __cfduid=defa3454da7d00a7067d77bc3cc37e9521607365396 Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:17 GMT content-type text/html; charset=UTF-8 x-powered-by PHP/7.2.34 vary Accept-Encoding cf-cache-status DYNAMIC cf-request-id 06e00aa308000016eab638b000000001 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=mFI89CTe9R6xhgPG9GrEOMc3GVtDDrPaa%2B7%2BQKQjbUQbV95iYAZDuccTZte%2B0KYkF23wIh0AQ0A8vp97RDIDo2vfX7k5Ozy1dpj%2FzO8wPlF%2Bps67QQr67wudJRi3lAlyZBrwIA%3D%3D"}],"group":"cf-nel","max_age":604800} nel {"report_to":"cf-nel","max_age":604800} server cloudflare cf-ray 5fe046e4df9216ea-FRA content-encoding br Redirect headers date Mon, 07 Dec 2020 18:23:17 GMT content-type text/html; charset=UTF-8 set-cookie __cfduid=defa3454da7d00a7067d77bc3cc37e9521607365396; expires=Wed, 06-Jan-21 18:23:16 GMT; path=/; domain=.removepayee-natwest.com; HttpOnly; SameSite=Lax; Secure x-powered-by PHP/7.2.34 location Login.php cf-cache-status DYNAMIC cf-request-id 06e00aa0c7000016ea9296a000000001 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4HlOiGM9yXH5YrTRewGSHvkIIgVU%2FfWfOxNAHiWrZ3dR4prvxbmFKOa4uNrzz%2FXqLGoR17nfn1bve%2BaaFXTpY8VXqfpvHjZe2JDd1G3tiagtEh8GRKNhjO76wLKEX%2FCqsqiLug%3D%3D"}],"group":"cf-nel","max_age":604800} nel {"report_to":"cf-nel","max_age":604800} server cloudflare cf-ray 5fe046e13e1e16ea-FRA
GET H2	200	master.css removepayee-natwest.com/files/css/	238 KB 42 KB	29ms 28ms	Stylesheet text/css	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://removepayee-natwest.com/files/css/master.css Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `0a81a04d3b47c0ce2ca1d59441142e0d519a278f07373dfd41fd6edc1872f601` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT content-encoding br cf-cache-status HIT last-modified Sat, 28 Nov 2020 19:03:49 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=tI3sY5%2F7fjC2JU%2B46Qrm3rko7iLh5jVIJZcuGDG6ZRsnkOxUy5SuOuFph2tALzA6h7oVYV%2FNvWy6tPenadDX3iib%2BGBTYeNIOY%2FeNox43uP4QjFo%2BHSiPuDCVZ32EWscUkNdbQ%3D%3D"}],"group":"cf-nel","max_age":604800} content-type text/css cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} cf-ray 5fe046e96baf16ea-FRA cf-request-id 06e00aa5e0000016ea63a4c000000001
GET H2	200	npc.css removepayee-natwest.com/files/css/	50 KB 10 KB	21ms 20ms	Stylesheet text/css	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://removepayee-natwest.com/files/css/npc.css Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `e6d03fb291fdf6036e3e04726f771d360b19353c35f10549b263e50e1f07a420` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:17 GMT content-encoding br cf-cache-status HIT last-modified Wed, 19 Aug 2020 21:50:04 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=e2Puh%2BmRqtze7g3F%2B%2BgnuvPyrdv%2Fx2HDppNAbbPsQeuzqZ2%2BMrWgHqXzLwG2HhMxUppgjSRhy1uCGSGVeJqoVntNmNuuzE36OaBGmgOlJTMDRuJR3uKn3KoGGICyJ7qfCdc2YA%3D%3D"}],"group":"cf-nel","max_age":604800} content-type text/css cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} cf-ray 5fe046e96bb916ea-FRA cf-request-id 06e00aa5df000016ea5d219000000001
GET H2	200	overlayPromptMaster.css removepayee-natwest.com/files/css/	1 KB 778 B	19ms 18ms	Stylesheet text/css	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://removepayee-natwest.com/files/css/overlayPromptMaster.css Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `42e70c32efffee33a1d8bddf152d6b754fa8abb83c6166444b8d41b217d9dae6` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:17 GMT content-encoding br cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:29:34 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ez5f40Sm3Iy85U79Y3zDeVCUi0%2BFD1F6X07ACb%2FJaYYioOaaVr8DIpXBcqrirxzTAm5y3p0xnbStQBda6yB5gwY43sVQ%2B2MGhMF3bsIr0GOTqB0NnEWnU4AimyxI8akH62ZQcQ%3D%3D"}],"group":"cf-nel","max_age":604800} content-type text/css cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} cf-ray 5fe046e96bbd16ea-FRA cf-request-id 06e00aa5e1000016eaa3107000000001
GET H2	200	overlayPrompt.css removepayee-natwest.com/files/css/	76 B 369 B	22ms 21ms	Stylesheet text/css	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://removepayee-natwest.com/files/css/overlayPrompt.css Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `ef7db794b4a6b5c42d2535919d91fb11da1e5cd1147f35196db382197b35fdee` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:17 GMT content-encoding br cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:29:34 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=c2lFQ4%2BW5v%2F01rEAORNdATWuwyl12cYUDfpxpyLcevDlOxtthsHhGFAQz%2FgVJF%2BlMdaQzUqf0rlI%2Bar4nYgncZ7Xq9CrKN16gXQs4waH%2FQhM87%2BjVnag0VXjQ%2BTBPKfX6T2%2BwQ%3D%3D"}],"group":"cf-nel","max_age":604800} content-type text/css cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} cf-ray 5fe046e96bbf16ea-FRA cf-request-id 06e00aa5e0000016ea62bd3000000001
GET H2	200	jquery.js Show response removepayee-natwest.com/files/js/	266 KB 73 KB	37ms 37ms	Script application/javascript	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://removepayee-natwest.com/files/js/jquery.js Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `84086bb634fc6fd223918894c6b74641811e06e84007937c5809942b7a02ddff` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT content-encoding br cf-cache-status HIT last-modified Sat, 24 Aug 2019 08:25:18 GMT server cloudflare age 83 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5VOtxeGNNpyV7qYv8UU7vUnQZ%2BvlawADZkMwfkGkd08biCsB4p6T%2F1loGJBDiG0Hxlqqq80VDDWLuT4XKadUW1CkuErpTFJbfTZ8mBny55OyUWJVHa3eINqTXWaD5K%2FwSyryUg%3D%3D"}],"group":"cf-nel","max_age":604800} content-type application/javascript cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} cf-ray 5fe046ea6e7c16ea-FRA cf-request-id 06e00aa67f000016ea75100000000001
GET H2	200	n-w-logo.svg removepayee-natwest.com/files/img/	5 KB 2 KB	15ms 14ms	Image image/svg+xml	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/n-w-logo.svg Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `668faa210a0e0cabb9aa13a1a6ad4e3b22b0f9cad90c43694ba37a8a4714b0e6` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT content-encoding br cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:41:22 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=nfo0EPT8ZcN8jRQNuOYyotDkSR%2BWa8J7JiCVpEFteFxSWzxRBPH0rCf7uozvzMdhJaqbexqpjjhHQqqYLMOPPy5B7YMDsrv7IdW4jn2paxUKMWPHGRQxT6KHhKk%2B9vvLDBaspw%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/svg+xml cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} cf-ray 5fe046ea6e9716ea-FRA cf-request-id 06e00aa684000016ea8e384000000001
GET H2	200	nw-security-banner-vishing-194x443.gif removepayee-natwest.com/files/img/	14 KB 15 KB	15ms 15ms	Image image/gif	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/nw-security-banner-vishing-194x443.gif Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `1aea65aeda4e39957158bacd84556ed7a77ab468265e2a163265b346b7f60965` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:29:40 GMT server cloudflare age 81 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Hpfq%2Bbt%2BPP%2FKTtnxTA8lKO7VQ5%2Fob6mFX5Mzr6B%2BkVTRfB5ZWUqrjTmaGy7TRlqa%2BSp7RpsqKc2lACFyUT1hGMyTx8Mh8m0zH%2F%2F1CNxywM0WtiJM1bzHd%2FuY1XccfELIH4xlVQ%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/gif cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046ea8ed116ea-FRA content-length 14375 cf-request-id 06e00aa693000016ea588da000000001
GET H2	200	FSCS_Protected_Logo.png removepayee-natwest.com/files/img/	6 KB 6 KB	16ms 15ms	Image image/png	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/FSCS_Protected_Logo.png Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `f2b557317fb851b3ed73c2d8203192e9ed433bd006ca5025ccb3317ef15e1b8d` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:29:40 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YfUIBQOJz0Rrciq0xIQnHrkUnZdm2Tq5u9I9v%2BD7vW7dRIV8P%2BFY3gl%2BhTO2Qu62u7IqgDFQs3XbcvpxLVuRViPV3x7CfSx1QT%2BAVCPImm0%2BF5v0sOy7UhLkeZ234dpMyzSitA%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/png cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eaaf0b16ea-FRA content-length 5679 cf-request-id 06e00aa6a5000016ea4124d000000001
GET H2	200	error-marker.png removepayee-natwest.com/files/img/	1 KB 1 KB	211ms 211ms	Image image/png	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/error-marker.png Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/Login.php Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `27f324f2ad60091d5e8f76adfef83f9122dc8aa8df29d0a8d970bfe06aaa5005` Request headers Referer https://removepayee-natwest.com/Login.php User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:29:40 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FHGIrJw1XnIZ2eNwsYkzkJDUcfcUwheAb7lXe7IXjpr54dzMYJgRi6vVkEN71o8VFgRdQNQ6IqayCD9TrIHWvgPWYKQowGuFsbc6RPNZcn6LfGIksKC%2FUNCnqjR1GX2bRwltZA%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/png cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eaaf2116ea-FRA content-length 1090 cf-request-id 06e00aa6ab000016ea8f0db000000001
GET H2	200	white-lock.png removepayee-natwest.com/files/img/	285 B 609 B	16ms 16ms	Image image/png	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/white-lock.png Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/files/css/npc.css Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `b465d00b89619e9899ec7d618559157db09f935d318466d67deb036157fadcf2` Request headers Referer https://removepayee-natwest.com/files/css/npc.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:40:48 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=gsPW8rqfx8OwLMqiS2o8Y6L1MP1DgVWsBL%2FSXHEyUzYfc1PB5ZJQeNLUpPygxvbnrsDsIfmq0u185F9%2BhjRLGAu2%2BETPSqdif3NgrZGJdrUVFYLWvPrtR%2BSg%2BYQxrm8Deomohg%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/png cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eacf7d16ea-FRA content-length 285 cf-request-id 06e00aa6be000016ea740ca000000001
GET H2	404	li5_outer_frame_top_curve.gif removepayee-natwest.com/files/images/	315 B 315 B	18ms 17ms	Image text/html	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/images/li5_outer_frame_top_curve.gif Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/files/css/master.css Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3` Request headers Referer https://removepayee-natwest.com/files/css/master.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT content-encoding br cf-cache-status HIT nel {"report_to":"cf-nel","max_age":604800} server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Uxh7iAy5azQ2VH%2BuAvdJngMp6Bi0%2BSDUZMwQ%2FlT9NJKB%2BbDVhdw5rUyH0ETMysUXSYKH7fZ1ogu9ZYUwYu14Kt5W%2FNbLj9NcBKOn5Y9F%2Bsp5cYYUAHkMjl76glw1DZKOqFtygA%3D%3D"}],"group":"cf-nel","max_age":604800} content-type text/html; charset=iso-8859-1 cache-control max-age=14400 cf-ray 5fe046eacf8016ea-FRA cf-request-id 06e00aa6bf000016eab63fb000000001
GET H2	200	radio-normal.png removepayee-natwest.com/files/img/	1 KB 2 KB	14ms 14ms	Image image/png	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/radio-normal.png Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/files/css/npc.css Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `1ec277d20cb0b2b9d72322f3cc32d988435978a6a8f72b28e0f8ac8b1bf17a72` Request headers Referer https://removepayee-natwest.com/files/css/npc.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:43:46 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=xNFmUUDOWmnew2689bizO9RmsZEH9jPuRVNTGuZF6zrZNIpnve2VpvQ7hteyTotlntBrdRtFPesnBoTjcdVlxegqzdLY0Oc3fgOVpKOvK%2Fa6b%2FuV95ZWrPnGFXQZUGEXMOUI3A%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/png cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eacf8316ea-FRA content-length 1317 cf-request-id 06e00aa6bf000016ea65226000000001
GET H2	200	combined-shape.png removepayee-natwest.com/files/img/	359 B 813 B	16ms 15ms	Image image/png	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/combined-shape.png Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/files/css/npc.css Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `d1c878b4e69d9da5292c53b1f46708de74c435144895bdfd697208406466a814` Request headers Referer https://removepayee-natwest.com/files/css/npc.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 18:51:30 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YdfprgGz0d076zVSHUWJyvGXSi5kVgU8XFmPf5FX20IFkYFGMoGd8zieWy0LJ1ErTQAF9E8rJ8le4%2BtOfnxMenoXDDOOsDavQigcG6p4OTBvbtEYmiZ1Eg%2B0Jz5cl2vfGe1r6g%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/png cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eacf8c16ea-FRA content-length 359 cf-request-id 06e00aa6c0000016ea95a6b000000001
GET H2	200	check-box.png removepayee-natwest.com/files/img/	157 B 477 B	15ms 15ms	Image image/png	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/check-box.png Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/files/css/npc.css Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `d2955b58d801a021737f025d1716a68fd2a143ddac3e0b749fcc053deba6e082` Request headers Referer https://removepayee-natwest.com/files/css/npc.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:48:00 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=0Yv4ntgurylnT6%2BwDpGQ2RWMd658xPqsiALrUWiGzNbHGwrQxDgbqWNmwfVe02PKrU7aTX2plhHgWDrKoF8Wrs30hT1Ydo07pzlL4nA6wUc%2Bp%2F2Qumc9eaOtwKf9%2FMliZtO5qA%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/png cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eacf9016ea-FRA content-length 157 cf-request-id 06e00aa6c0000016ea96aac000000001
GET H2	200	down-chevron.png removepayee-natwest.com/files/img/	295 B 642 B	15ms 14ms	Image image/png	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://removepayee-natwest.com/files/img/down-chevron.png Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/files/css/npc.css Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `4f5a022467e927b5b385cc335e58434a49bad0520ed018fc059075069d695c79` Request headers Referer https://removepayee-natwest.com/files/css/npc.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 17:20:20 GMT server cloudflare age 82 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=VsTFBj0MT%2FesKyvKI2ceXC3En3MHncqbHROMhdXu1NoMjpRYG%2FXL8ZQeeX8JDGKy93bPjusObjDlPHsDlLULl8tkjb%2F%2FLVVc60F%2F9EAApg24WrGTEkctSBbVr9pf5yvwPUCqsg%3D%3D"}],"group":"cf-nel","max_age":604800} content-type image/png cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eacf9316ea-FRA content-length 295 cf-request-id 06e00aa6c1000016ea79b5c000000001
GET H2	200	RNHouseSansW05-Regular.woff2 removepayee-natwest.com/files/fonts/	21 KB 21 KB	23ms 23ms	Font font/woff2	2606:4700:3031::681f:41fd CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://removepayee-natwest.com/files/fonts/RNHouseSansW05-Regular.woff2 Requested by Host: removepayee-natwest.com URL: https://removepayee-natwest.com/files/css/master.css Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:3031::681f:41fd , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash `9be8b2c42ad2d6f7327f62a7d03995a5a4615770154941d59493473186e5140c` Request headers Origin https://removepayee-natwest.com Referer https://removepayee-natwest.com/files/css/master.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Response headers date Mon, 07 Dec 2020 18:23:18 GMT cf-cache-status HIT last-modified Wed, 19 Aug 2020 16:30:10 GMT server cloudflare age 81 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=66C0c%2F9ltUSnGUzxlxCpsYFxghuEM3FmacGP919E7ALSPxohBsf%2BmDCKMMji1sIlzAsqQDpfk1ZQem%2B11hgeTpNZ9P0NkEOEhmGL2H3l9g4cC7JZcHCaZXHQ4dcd%2FxYpwIbIpA%3D%3D"}],"group":"cf-nel","max_age":604800} content-type font/woff2 cache-control max-age=14400 nel {"report_to":"cf-nel","max_age":604800} accept-ranges bytes cf-ray 5fe046eacf9716ea-FRA content-length 21572 cf-request-id 06e00aa6c1000016ea42202000000001

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: NatWest (Banking)

11 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			.removepayee-natwest.com/	1970-01-19 15:12:37	Name: __cfduid Value: defa3454da7d00a7067d77bc3cc37e9521607365396

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

removepayee-natwest.com
2606:4700:3031::681f:41fd
0a81a04d3b47c0ce2ca1d59441142e0d519a278f07373dfd41fd6edc1872f601
1aea65aeda4e39957158bacd84556ed7a77ab468265e2a163265b346b7f60965
1ec277d20cb0b2b9d72322f3cc32d988435978a6a8f72b28e0f8ac8b1bf17a72
27f324f2ad60091d5e8f76adfef83f9122dc8aa8df29d0a8d970bfe06aaa5005
42e70c32efffee33a1d8bddf152d6b754fa8abb83c6166444b8d41b217d9dae6
4f5a022467e927b5b385cc335e58434a49bad0520ed018fc059075069d695c79
668faa210a0e0cabb9aa13a1a6ad4e3b22b0f9cad90c43694ba37a8a4714b0e6
83d90f4e2f00008b7780f222b2f6f5347e062b0ec0979ab20fe2a07ffaf5b2e4
84086bb634fc6fd223918894c6b74641811e06e84007937c5809942b7a02ddff
9be8b2c42ad2d6f7327f62a7d03995a5a4615770154941d59493473186e5140c
b465d00b89619e9899ec7d618559157db09f935d318466d67deb036157fadcf2
d1c878b4e69d9da5292c53b1f46708de74c435144895bdfd697208406466a814
d2955b58d801a021737f025d1716a68fd2a143ddac3e0b749fcc053deba6e082
d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3
e6d03fb291fdf6036e3e04726f771d360b19353c35f10549b263e50e1f07a420
ef7db794b4a6b5c42d2535919d91fb11da1e5cd1147f35196db382197b35fdee
f2b557317fb851b3ed73c2d8203192e9ed433bd006ca5025ccb3317ef15e1b8d

removepayee-natwest.com Open in urlscan Pro 2606:4700:3031::681f:41fd Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page URL History Show full URLs

Detected technologies

Page Statistics

17 Requests

100 %HTTPS

100 %IPv6

1 Domains

1 Subdomains

1 IPs

1 Countries

207 kBTransfer

851 kBSize

1 Cookies

23 Outgoing links

Page URL History

Redirected requests

17 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

11 JavaScript Global Variables

1 Cookies

Indicators

removepayee-natwest.com Open in urlscan Pro
2606:4700:3031::681f:41fd Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

17
Requests

100 %
HTTPS

100 %
IPv6

1
Domains

1
Subdomains

1
IPs

1
Countries

207 kB
Transfer

851 kB
Size

1
Cookies

17 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!