identify.netbanken-se.net Open in urlscan Pro
89.185.84.39 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://tinyurl.com/3w5nkax5
Effective URL:
https://identify.netbanken-se.net/foretag/mobilt-bankid
Submission: On November 16 via manual (November 16th 2022, 3:14:23 pm UTC) from FI — Scanned from SE

Summary HTTP 8 Redirects Behaviour Indicators

Summary

This website contacted 1 IPs in 2 countries across 2 domains to perform 8 HTTP transactions. The main IP is 89.185.84.39, located in London, United Kingdom and belongs to GIR-AS, RU. The main domain is identify.netbanken-se.net.
TLS certificate: Issued by R3 on November 15th 2022. Valid for: 3 months.

This is the only time identify.netbanken-se.net was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Nordea (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1 1	172.67.1.225 172.67.1.225	13335 (CLOUDFLAR...) (CLOUDFLARENET)
8	89.185.84.39 89.185.84.39	207713 (GIR-AS) (GIR-AS)
8	1

1 172.67.1.225 (United States) 1 redirects

ASN13335 (CLOUDFLARENET, US)

tinyurl.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

8 89.185.84.39 (London, United Kingdom)

ASN207713 (GIR-AS, RU)
PTR: 4SER-1668410871.4server.su

identify.netbanken-se.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
8	netbanken-se.net identify.netbanken-se.net	244 KB
1	tinyurl.com 1 redirects tinyurl.com — Cisco Umbrella Rank: 15392	361 B
8	2

	Domain	Requested by
8	identify.netbanken-se.net	identify.netbanken-se.net
1	tinyurl.com	1 redirects
8	2

This site contains no links.

Subject Issuer	Validity	Valid
identify.netbanken-se.net R3	`2022-11-15` - `2023-02-13`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://identify.netbanken-se.net/foretag/mobilt-bankid
Frame ID: 260F6FC37CBEFEAC45507C4D9A480E08
Requests: 8 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Förnya Mobilt BankID - Nordea

Page URL History Show full URLs

https://tinyurl.com/3w5nkax5 HTTP 301
https://identify.netbanken-se.net/foretag/mobilt-bankid Page URL

Detected technologies

Laravel (Web Frameworks) Expand

Overall confidence: 100%
Detected patterns

Page Statistics

8
Requests

100 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

1
IPs

2
Countries

244 kB
Transfer

904 kB
Size

2
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://tinyurl.com/3w5nkax5 HTTP 301
https://identify.netbanken-se.net/foretag/mobilt-bankid Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

8 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2

200

Primary Request mobilt-bankid Show response
identify.netbanken-se.net/foretag/
Redirect Chain

https://tinyurl.com/3w5nkax5
https://identify.netbanken-se.net/foretag/mobilt-bankid

6 KB
3 KB

493ms
83ms

Document
text/html

89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to

Full URL

https://identify.netbanken-se.net/foretag/mobilt-bankid

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

c6eddb94c10efbd5d3f3681e290913902516bfedc70c5ad7ee6651c04519c5bf

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1
accept-language: se-SE,se;q=0.9

Response headers

cache-control: no-cache, private
content-encoding: gzip
content-type: text/html; charset=UTF-8
date: Wed, 16 Nov 2022 15:14:19 GMT
server: nginx
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

Redirect headers

alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cache-control: max-age=0, public, s-max-age=900, stale-if-error: 86400
cf-cache-status: DYNAMIC
cf-ray: 76b12cef98df09b1-ARN
content-type: text/html; charset=UTF-8
date: Wed, 16 Nov 2022 15:14:18 GMT
location: https://identify.netbanken-se.net/foretag/mobilt-bankid
referrer-policy: unsafe-url
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
x-powered-by: PHP/8.1.8
x-xss-protection: 1; mode=block

GET
H2 200 app.css
identify.netbanken-se.net/css/nordea/ 17 KB
4 KB 61ms
60ms Stylesheet
text/css 89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to

Full URL

https://identify.netbanken-se.net/css/nordea/app.css?id=9181c3676fc1d9b91437f6fef73c48ce

Requested by

Host: identify.netbanken-se.net
URL: https://identify.netbanken-se.net/foretag/mobilt-bankid

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

2dd7a4aaf28ffec907932bfac6831e81c76aa0f502687d27670fd130528cf080

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

accept-language: se-SE,se;q=0.9
Referer: https://identify.netbanken-se.net/foretag/mobilt-bankid
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 16 Nov 2022 15:14:19 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 15 Nov 2022 08:51:07 GMT
server: nginx
etag: W/"637352fb-459e"
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
content-type: text/css
x-xss-protection: 1; mode=block

GET
H2 200 bankid.svg
identify.netbanken-se.net/images/ 3 KB
2 KB 62ms
61ms Image
image/svg+xml 89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://identify.netbanken-se.net/images/bankid.svg

Requested by

Host: identify.netbanken-se.net
URL: https://identify.netbanken-se.net/foretag/mobilt-bankid

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

ce22eb0c405b78a4247ec19eba5816e03a01a3c065e84a2bc58a23875cd1efc7

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

accept-language: se-SE,se;q=0.9
Referer: https://identify.netbanken-se.net/foretag/mobilt-bankid
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 16 Nov 2022 15:14:19 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 15 Nov 2022 08:51:07 GMT
server: nginx
etag: W/"637352fb-cb1"
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
content-type: image/svg+xml
x-xss-protection: 1; mode=block

GET
H2 200 card_reader.svg
identify.netbanken-se.net/images/nordea/ 891 B
673 B 60ms
60ms Image
image/svg+xml 89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://identify.netbanken-se.net/images/nordea/card_reader.svg

Requested by

Host: identify.netbanken-se.net
URL: https://identify.netbanken-se.net/foretag/mobilt-bankid

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

b34c9039b5f92575e57676734ec42dd908ef1877fe59a4d55b4277db69663830

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

accept-language: se-SE,se;q=0.9
Referer: https://identify.netbanken-se.net/foretag/mobilt-bankid
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 16 Nov 2022 15:14:19 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 15 Nov 2022 08:51:07 GMT
server: nginx
etag: W/"637352fb-37b"
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
content-type: image/svg+xml
x-xss-protection: 1; mode=block

GET
H2 200 qr_reader.svg
identify.netbanken-se.net/images/nordea/ 642 B
561 B 61ms
60ms Image
image/svg+xml 89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://identify.netbanken-se.net/images/nordea/qr_reader.svg

Requested by

Host: identify.netbanken-se.net
URL: https://identify.netbanken-se.net/foretag/mobilt-bankid

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

0b76503946c6f19f7150b0950f704eac5cb94842b7698ea8eb9b0d4372b1bd05

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

accept-language: se-SE,se;q=0.9
Referer: https://identify.netbanken-se.net/foretag/mobilt-bankid
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 16 Nov 2022 15:14:19 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 15 Nov 2022 08:51:07 GMT
server: nginx
etag: W/"637352fb-282"
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
content-type: image/svg+xml
x-xss-protection: 1; mode=block

GET
H2 200 app.js Show response
identify.netbanken-se.net/js/nordea/ 810 KB
168 KB 118ms
118ms Script
application/javascript 89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to

Full URL

https://identify.netbanken-se.net/js/nordea/app.js?id=ec532bf743592ac2428c3bccab12ff53

Requested by

Host: identify.netbanken-se.net
URL: https://identify.netbanken-se.net/foretag/mobilt-bankid

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

566e50a6380bbba616b4009092cf699587b3e849ff8d3de35dc1b90d30cc7929

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

accept-language: se-SE,se;q=0.9
Referer: https://identify.netbanken-se.net/foretag/mobilt-bankid
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 16 Nov 2022 15:14:19 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 15 Nov 2022 08:51:07 GMT
server: nginx
etag: W/"637352fb-ca929"
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
content-type: application/javascript; charset=utf-8
x-xss-protection: 1; mode=block

GET
H2 200 bg-top.png
identify.netbanken-se.net/images/ 39 KB
40 KB 181ms
180ms Image
image/png 89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://identify.netbanken-se.net/images/bg-top.png?5e73b3c67b0510c4c5cfedf73b38cb40

Requested by

Host: identify.netbanken-se.net
URL: https://identify.netbanken-se.net/css/nordea/app.css?id=9181c3676fc1d9b91437f6fef73c48ce

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

9fc5b5c44107cfc6701be07fa5d5a4d7ab066607dd7ab6e9f396ac709e28424f

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

accept-language: se-SE,se;q=0.9
Referer: https://identify.netbanken-se.net/css/nordea/app.css?id=9181c3676fc1d9b91437f6fef73c48ce
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 16 Nov 2022 15:14:19 GMT
x-content-type-options: nosniff
last-modified: Tue, 15 Nov 2022 08:51:07 GMT
server: nginx
etag: "637352fb-9d93"
x-frame-options: SAMEORIGIN
content-type: image/png
accept-ranges: bytes
content-length: 40339
x-xss-protection: 1; mode=block

GET
H2 200 7bc117ce8cbf2ce4b08a7ed17d16cf89.woff2
identify.netbanken-se.net/fonts/nordea/ 26 KB
26 KB 180ms
180ms Font
font/woff2 89.185.84.39
GIR-AS

General

Check archive.org

Show headers Download Go to

Full URL

https://identify.netbanken-se.net/fonts/nordea/7bc117ce8cbf2ce4b08a7ed17d16cf89.woff2

Requested by

Host: identify.netbanken-se.net
URL: https://identify.netbanken-se.net/css/nordea/app.css?id=9181c3676fc1d9b91437f6fef73c48ce

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

89.185.84.39 London, United Kingdom, ASN207713 (GIR-AS, RU),

Reverse DNS

4SER-1668410871.4server.su

Software

nginx /

Resource Hash

a93f6086756b2a2e94db8aaf795faab950a315cd9a8e32c5b0df707636dedfff

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Referer: https://identify.netbanken-se.net/css/nordea/app.css?id=9181c3676fc1d9b91437f6fef73c48ce
Origin: https://identify.netbanken-se.net
accept-language: se-SE,se;q=0.9
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/92.0.4515.90 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 16 Nov 2022 15:14:19 GMT
x-content-type-options: nosniff
last-modified: Tue, 15 Nov 2022 08:51:07 GMT
server: nginx
etag: "637352fb-6734"
x-frame-options: SAMEORIGIN
content-type: font/woff2
accept-ranges: bytes
content-length: 26420
x-xss-protection: 1; mode=block

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Nordea (Banking)

5 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

2 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			identify.netbanken-se.net/	1970-01-20 07:30:18	Name: XSRF-TOKEN Value: eyJpdiI6IlY4RHE1SFhrQ2tXT0ZlZDVPVDZkMlE9PSIsInZhbHVlIjoidmtudldTNGZiK0dJQTB6SlYzVTNnZldtQXpFL0hEQnNMb1ZzTzVCWmNweWVDODJ6YW9jdkFvWVI3am9IMUZMWE5CUXdJb1dWaVo2VGdFMXd5c1hDWFVVMUZMcWdSTmFCM2FGaXlZdE5HdTJJMWFucFlYRDBQK2huVUdOTmZmSlEiLCJtYWMiOiIyMDNhZjFlOGZkMGYxYTBhNGM3MzY4OTBiMmQxZDhjMGIzYmNkNGNlN2QyZGY3NTQ4Y2VlMTNiYmU4NjI4MjdmIiwidGFnIjoiIn0%3D
			identify.netbanken-se.net/	1970-01-20 07:30:18	Name: laravel_session Value: eyJpdiI6IkZiV090ZXRHcDI0S1hGZXlPL1hheVE9PSIsInZhbHVlIjoiZi9aQlZSd1EvbzFyckg4NUIrZWtrb1VMaklKSFRmREZ1VEhnS2RUKzNjbUs3cmZVelpReHJxRFVSTE5yU2xwS2l6NEJYU0dXWHgvcjh5MnpwQUw2UnR2eWdKQ3VidmZaU2xybXVqZldtcHN4TXBjV0g5RzBEZVBuMkljQ0ZZWDMiLCJtYWMiOiJlMWFhYzA5YmIwODk0OTJmMjJhMGFmZTg4YjdkZmYyMGM0YmE1ODgwMDA1OTQ5NzI2ZDJmODc2MTc0NjkwZDYxIiwidGFnIjoiIn0%3D

3 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
javascript	warning	URL: https://identify.netbanken-se.net/foretag/mobilt-bankid Message: The resource https://identify.netbanken-se.net/images/nordea/qr_reader.svg was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it has an appropriate `as` value and it is preloaded intentionally.
javascript	warning	URL: https://identify.netbanken-se.net/foretag/mobilt-bankid Message: The resource https://identify.netbanken-se.net/images/nordea/card_reader.svg was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it has an appropriate `as` value and it is preloaded intentionally.
javascript	warning	URL: https://identify.netbanken-se.net/foretag/mobilt-bankid Message: The resource https://identify.netbanken-se.net/images/bankid.svg was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it has an appropriate `as` value and it is preloaded intentionally.

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

identify.netbanken-se.net
tinyurl.com
172.67.1.225
89.185.84.39
0b76503946c6f19f7150b0950f704eac5cb94842b7698ea8eb9b0d4372b1bd05
2dd7a4aaf28ffec907932bfac6831e81c76aa0f502687d27670fd130528cf080
566e50a6380bbba616b4009092cf699587b3e849ff8d3de35dc1b90d30cc7929
9fc5b5c44107cfc6701be07fa5d5a4d7ab066607dd7ab6e9f396ac709e28424f
a93f6086756b2a2e94db8aaf795faab950a315cd9a8e32c5b0df707636dedfff
b34c9039b5f92575e57676734ec42dd908ef1877fe59a4d55b4277db69663830
c6eddb94c10efbd5d3f3681e290913902516bfedc70c5ad7ee6651c04519c5bf
ce22eb0c405b78a4247ec19eba5816e03a01a3c065e84a2bc58a23875cd1efc7

identify.netbanken-se.net Open in urlscan Pro 89.185.84.39 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

8 Requests

100 %HTTPS

0 %IPv6

2 Domains

2 Subdomains

1 IPs

2 Countries

244 kBTransfer

904 kBSize

2 Cookies

0 Outgoing links

Page URL History

Redirected requests

8 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

5 JavaScript Global Variables

2 Cookies

3 Console Messages

Security Headers

Indicators

identify.netbanken-se.net Open in urlscan Pro
89.185.84.39 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

8
Requests

100 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

1
IPs

2
Countries

244 kB
Transfer

904 kB
Size

2
Cookies

8 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!