urlscan.io logo urlscan.io
SecurityTrails logo

53express.net Open in urlscan Pro
193.34.167.237  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
URL: http://53express.net/portal/authn
Submission: On October 28 via manual from US
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 3 IPs in 2 countries across 2 domains to perform 3 HTTP transactions. The main IP is 193.34.167.237, located in Netherlands and belongs to SNEL, NL. The main domain is 53express.net.
This is the only time 53express.net was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Fifth Third Bank (Banking)

Domain & IP information

IP Address AS Autonomous System
2 193.34.167.237 62370 (SNEL)
1 216.82.178.25 36050 (FLOKY)
3 3
Apex Domain
Subdomains		 Transfer
2 53express.net
53express.net
32 KB
1 53.com
express.53.com
7 KB
3 2
Domain Requested by
2 53express.net 53express.net
1 express.53.com
3 2

This site contains no links.

Subject Issuer Validity Valid
express.53.com
DigiCert SHA2 Extended Validation Server CA		 2020-06-15 -
2021-07-05		 a year crt.sh

This page contains 1 frames:

Primary Page: http://53express.net/portal/authn
Frame ID: 636B771A2431E38D1D66BD12C7189572
Requests: 4 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Detected technologies

Overall confidence: 100%
Detected patterns
  • headers server /nginx(?:\/([\d.]+))?/i

Page Statistics

3
Requests

33 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

3
IPs

2
Countries

40 kB
Transfer

38 kB
Size

0
Cookies

Redirected requests

There were HTTP redirect chains for the following requests:

3 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Primary Request authn
53express.net/portal/ 		14 KB
14 KB 		Document
General
Check archive.org
Download Go to
Full URL
http://53express.net/portal/authn
Protocol
HTTP/1.1
Server
193.34.167.237 , Netherlands, ASN62370 (SNEL, NL),
Reverse DNS
2.express.net
Software
nginx /
Resource Hash
1e06cea491202be89fb009e7a346e9c237cec65ece8b6d615bdc792481e8efaa

Request headers

Host
53express.net
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding
gzip, deflate
Accept-Language
en-US
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Server
nginx
Date
Wed, 28 Oct 2020 19:21:17 GMT
Content-Type
text/html
Content-Length
14490
Connection
keep-alive
Last-Modified
Sun, 18 Oct 2020 22:17:41 GMT
ETag
"5f8cbf05-389a"
Accept-Ranges
bytes
lob.php
53express.net/ 		18 KB
18 KB 		XHR
General
Check archive.org
Download Go to
Full URL
http://53express.net/lob.php
Requested by
Host: 53express.net
URL: http://53express.net/portal/authn
Protocol
HTTP/1.1
Server
193.34.167.237 , Netherlands, ASN62370 (SNEL, NL),
Reverse DNS
2.express.net
Software
nginx /
Resource Hash
3ac73ae5f98f3679526c289273e91d49b9acca1f4ed0ce64949243864f7f5caf

Request headers

Referer
http://53express.net/portal/authn
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Content-Type
text/plain;charset=UTF-8

Response headers

Access-Control-Allow-Origin
*
Date
Wed, 28 Oct 2020 19:21:17 GMT
Server
nginx
Connection
keep-alive
Transfer-Encoding
chunked
Access-Control-Allow-Methods
POST, GET
Content-Type
text/html; charset=UTF-8
login-logo.svg
express.53.com/static-assets/img/ 		6 KB
7 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://express.53.com/static-assets/img/login-logo.svg
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
216.82.178.25 , United States, ASN36050 (FLOKY, US),
Reverse DNS
express.53.com
Software
/ Servlet/3.1
Resource Hash
cd819d18c71475c967748ed560c26749a702102d7c8b2e7a4c98332e14ca8282
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

Referer
http://53express.net/portal/authn
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Date
Wed, 28 Oct 2020 19:21:18 GMT
WWW-Authenticate
Basic realm="Fifth Third SSO IHS"
Last-Modified
Tue, 15 Sep 2020 18:40:58 GMT
X-Powered-By
Servlet/3.1
X-Frame-Options
SAMEORIGIN
Connection
Keep-Alive
Content-Language
en-US
X-OneAgent-JS-Injection
true
Cache-Control
no-cache="set-cookie, set-cookie2"
Strict-Transport-Security
max-age=31536000; includeSubDomains
Content-Type
image/svg+xml
Keep-Alive
timeout=15, max=100
Content-Length
6443
X-XSS-Protection
1; mode=block
Expires
Thu, 01 Dec 1994 16:00:00 GMT
truncated
/ 		354 B
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
e8fd729506ec9cab7f5b219a2310fbab12c05d87a55c99696513e3ed9211d279

Request headers

Referer
http://53express.net/portal/authn
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

Content-Type
image/png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Fifth Third Bank (Banking)

1 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| trustedTypes

0 Cookies