52-161-47-9.cprapid.com Open in urlscan Pro
52.161.47.9 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://bisonlaserwash.com/original-site-template/fonts/
Effective URL:
http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJW...
Submission: On July 06 via manual (July 6th 2022, 10:41:23 am UTC) from GB — Scanned from GB

Summary HTTP 8 Redirects Links 4 Behaviour Indicators

Summary

This website contacted 2 IPs in 1 countries across 2 domains to perform 8 HTTP transactions. The main IP is 52.161.47.9, located in Cheyenne, United States and belongs to MICROSOFT-CORP-MSN-AS-BLOCK, US. The main domain is 52-161-47-9.cprapid.com.

This is the only time 52-161-47-9.cprapid.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: UK Government (Government)

Domain & IP information

	IP Address	AS Autonomous System
1	104.207.24.70 104.207.24.70	46892 (WINNE-IPV4-1) (WINNE-IPV4-1)
7	52.161.47.9 52.161.47.9	8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK)
8	2

1 104.207.24.70 (Albert Lea, United States)

ASN46892 (WINNE-IPV4-1, US)
PTR: ares.ngthosting.net

bisonlaserwash.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

7 52.161.47.9 (Cheyenne, United States)

ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US)

52-161-47-9.cprapid.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
7	cprapid.com 52-161-47-9.cprapid.com	435 KB
1	bisonlaserwash.com bisonlaserwash.com	340 B
8	2

	Domain	Requested by
7	52-161-47-9.cprapid.com	52-161-47-9.cprapid.com
1	bisonlaserwash.com
8	2

This site contains links to these domains. Also see Links.

Domain
www.gov.uk
dvladigital.blog.gov.uk
www.nationalarchives.gov.uk

Subject Issuer	Validity	Valid
bisonlaserwash.com cPanel, Inc. Certification Authority	`2022-05-06` - `2022-08-04`	3 months	crt.sh

This page contains 1 frames:

Primary Page: http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel
Frame ID: 3E2BB760D7DB1F98DEB7A08FC893955F
Requests: 8 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

GOV.UK - Enter the registration number of the vehicle

Page URL History Show full URLs

https://bisonlaserwash.com/original-site-template/fonts/ Page URL
http://52-161-47-9.cprapid.com/.dvla-enquiry/index.php Page URL
http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIH... Page URL

Detected technologies

GOV.UK Frontend (UI frameworks) Expand

Overall confidence: 80%
Detected patterns

<body[^>]+govuk-template__body

Page Statistics

8
Requests

13 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

2
IPs

1
Countries

436 kB
Transfer

433 kB
Size

1
Cookies

4 Outgoing links

These are links going to different origins than the main page.

URL: https://www.gov.uk/
Title: GOV.UK

Search URL Search Domain Scan URL

URL: https://www.gov.uk/government/publications/dvla-privacy-policy
Title: Privacy Information Notice

Search URL Search Domain Scan URL

URL: https://dvladigital.blog.gov.uk/
Title: Driver & Vehicle Licensing Agency

Search URL Search Domain Scan URL

URL: https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

Search URL Search Domain Scan URL

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://bisonlaserwash.com/original-site-template/fonts/ Page URL
http://52-161-47-9.cprapid.com/.dvla-enquiry/index.php Page URL
http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

8 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	/ Show response bisonlaserwash.com/original-site-template/fonts/	99 B 340 B	475ms 154ms	Document text/html	104.207.24.70 WINNE-IPV4-1
General Check archive.org Show headers Download Go to Full URL https://bisonlaserwash.com/original-site-template/fonts/ Protocol HTTP/1.1 Security TLS 1.3, , AES_128_GCM Server 104.207.24.70 Albert Lea, United States, ASN46892 (WINNE-IPV4-1, US), Reverse DNS ares.ngthosting.net Software Apache / Resource Hash `0a505d0ae7422d817e799fe48e7220ef2e25475b553c790ecc21dd530843b2f6` Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 accept-language en-GB,en;q=0.9 Response headers Accept-Ranges bytes Connection Keep-Alive Content-Length 99 Content-Type text/html Date Wed, 06 Jul 2022 10:41:19 GMT Keep-Alive timeout=5, max=100 Last-Modified Thu, 15 Jan 2015 22:02:58 GMT Server Apache
GET H/1.1	200 OK	index.php Show response 52-161-47-9.cprapid.com/.dvla-enquiry/	218 B 599 B	1060ms 527ms	Document text/html	52.161.47.9 MICROSOFT-CORP-MS...
General Check archive.org Show headers Download Go to Full URL http://52-161-47-9.cprapid.com/.dvla-enquiry/index.php Protocol HTTP/1.1 Server 52.161.47.9 Cheyenne, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US), Reverse DNS Software Apache / Resource Hash `dfad2c233c5e09bf31324e8079337c54d4e04e98726deaa7f3884eefbc702efc` Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 accept-language en-GB,en;q=0.9 Response headers Cache-Control no-store, no-cache, must-revalidate Connection Keep-Alive Content-Type text/html; charset=UTF-8 Date Wed, 06 Jul 2022 10:41:19 GMT Expires Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive timeout=5, max=100 Pragma no-cache Server Apache Transfer-Encoding chunked
GET H/1.1	200 OK	Primary Request main.html Show response 52-161-47-9.cprapid.com/.dvla-enquiry/	9 KB 10 KB	176ms 176ms	Document text/html	52.161.47.9 MICROSOFT-CORP-MS...
General Check archive.org Show headers Download Go to Full URL http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel Protocol HTTP/1.1 Server 52.161.47.9 Cheyenne, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US), Reverse DNS Software Apache / Resource Hash `446efd7f75edf9fe719cba9b130727f05f76fba3a07c0589cbf218d979d247ff` Request headers Referer http://52-161-47-9.cprapid.com/.dvla-enquiry/index.php Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 accept-language en-GB,en;q=0.9 Response headers Accept-Ranges bytes Cache-Control no-cache, no-store, must-revalidate Connection Keep-Alive Content-Length 9404 Content-Type text/html Date Wed, 06 Jul 2022 10:41:20 GMT Expires 0 Keep-Alive timeout=5, max=99 Last-Modified Wed, 25 May 2022 00:30:20 GMT Pragma no-cache Server Apache
GET H/1.1	200 OK	application-0c101b71.css 52-161-47-9.cprapid.com/.dvla-enquiry/packs/	113 KB 113 KB	177ms 177ms	Stylesheet text/css	52.161.47.9 MICROSOFT-CORP-MS...
General Check archive.org Show headers Download Go to Full URL http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/application-0c101b71.css Requested by Host: 52-161-47-9.cprapid.com URL: http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel Protocol HTTP/1.1 Server 52.161.47.9 Cheyenne, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US), Reverse DNS Software Apache / Resource Hash `426eb717f940026d09ce6faa738e50ceb6598d333b63e8f31fd2783f8e54e025` Request headers accept-language en-GB,en;q=0.9 Referer http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Response headers Pragma no-cache Date Wed, 06 Jul 2022 10:41:20 GMT Last-Modified Tue, 24 May 2022 18:24:28 GMT Server Apache Content-Type text/css Cache-Control no-cache, no-store, must-revalidate Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=98 Content-Length 115262 Expires 0
GET H/1.1	200 OK	govuk-crest-2x.png 52-161-47-9.cprapid.com/.dvla-enquiry/packs/	9 KB 9 KB	176ms 176ms	Image image/png	52.161.47.9 MICROSOFT-CORP-MS...
General Check archive.org Show headers Download Go to Show image Full URL http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/govuk-crest-2x.png Requested by Host: 52-161-47-9.cprapid.com URL: http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel Protocol HTTP/1.1 Server 52.161.47.9 Cheyenne, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US), Reverse DNS Software Apache / Resource Hash `c6548884b516041752fc4156a50f084ca387b1e37e4f4668cd109058d924b197` Request headers accept-language en-GB,en;q=0.9 Referer http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Response headers Pragma no-cache Date Wed, 06 Jul 2022 10:41:20 GMT Last-Modified Wed, 20 Apr 2022 11:43:44 GMT Server Apache Content-Type image/png Cache-Control no-cache, no-store, must-revalidate Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 8884 Expires 0
GET H/1.1	200 OK	application-c0ecee56d4765fdb4df3.js Show response 52-161-47-9.cprapid.com/.dvla-enquiry/packs/	239 KB 240 KB	347ms 176ms	Script application/javascript	52.161.47.9 MICROSOFT-CORP-MS...
General Check archive.org Show headers Download Go to Full URL http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/application-c0ecee56d4765fdb4df3.js Requested by Host: 52-161-47-9.cprapid.com URL: http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel Protocol HTTP/1.1 Server 52.161.47.9 Cheyenne, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US), Reverse DNS Software Apache / Resource Hash `2ac114034825bf205391d73994b26f7004aa246e099bf5b0db6162f42708c6b9` Request headers accept-language en-GB,en;q=0.9 Referer http://52-161-47-9.cprapid.com/.dvla-enquiry/main.html?action=confirm-vehicle&taxID=IzXelCoXNgxdJKYpTUidKIHnweFFbAqEiTHJHtmhdJWrihKzaQIFnCpel User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Response headers Pragma no-cache Date Wed, 06 Jul 2022 10:41:20 GMT Last-Modified Wed, 20 Apr 2022 11:43:44 GMT Server Apache Content-Type application/javascript Cache-Control no-cache, no-store, must-revalidate Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=99 Content-Length 244918 Expires 0
GET H/1.1	200 OK	light-94a07e06a1-v2.woff2 52-161-47-9.cprapid.com/.dvla-enquiry/packs/	33 KB 33 KB	175ms 175ms	Font font/woff2	52.161.47.9 MICROSOFT-CORP-MS...
General Check archive.org Show headers Download Go to Full URL http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/light-94a07e06a1-v2.woff2 Requested by Host: 52-161-47-9.cprapid.com URL: http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/application-0c101b71.css Protocol HTTP/1.1 Server 52.161.47.9 Cheyenne, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US), Reverse DNS Software Apache / Resource Hash `eedfb3c2f7945caebd0b15522b59d6c7f01be17fecd6102fd76452ad4042f7b0` Request headers Referer http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/application-0c101b71.css Origin http://52-161-47-9.cprapid.com accept-language en-GB,en;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Response headers Pragma no-cache Date Wed, 06 Jul 2022 10:41:21 GMT Last-Modified Wed, 20 Apr 2022 11:43:44 GMT Server Apache Content-Type font/woff2 Cache-Control no-cache, no-store, must-revalidate Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=97 Content-Length 33382 Expires 0
GET H/1.1	200 OK	bold-b542beb274-v2.woff2 52-161-47-9.cprapid.com/.dvla-enquiry/packs/	31 KB 31 KB	176ms 176ms	Font font/woff2	52.161.47.9 MICROSOFT-CORP-MS...
General Check archive.org Show headers Download Go to Full URL http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/bold-b542beb274-v2.woff2 Requested by Host: 52-161-47-9.cprapid.com URL: http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/application-0c101b71.css Protocol HTTP/1.1 Server 52.161.47.9 Cheyenne, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US), Reverse DNS Software Apache / Resource Hash `06eba01b1af0f4014b484c711771fef1db30becbf0edf481498da1e4958d3d47` Request headers Referer http://52-161-47-9.cprapid.com/.dvla-enquiry/packs/application-0c101b71.css Origin http://52-161-47-9.cprapid.com accept-language en-GB,en;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Response headers Pragma no-cache Date Wed, 06 Jul 2022 10:41:21 GMT Last-Modified Wed, 20 Apr 2022 11:43:44 GMT Server Apache Content-Type font/woff2 Cache-Control no-cache, no-store, must-revalidate Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=100 Content-Length 31480 Expires 0

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: UK Government (Government)

9 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			52-161-47-9.cprapid.com/	1969-12-31 23:59:59	Name: PHPSESSID Value: ad6fb9b063095a6d32d2c098158eaa60

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

52-161-47-9.cprapid.com
bisonlaserwash.com
104.207.24.70
52.161.47.9
06eba01b1af0f4014b484c711771fef1db30becbf0edf481498da1e4958d3d47
0a505d0ae7422d817e799fe48e7220ef2e25475b553c790ecc21dd530843b2f6
2ac114034825bf205391d73994b26f7004aa246e099bf5b0db6162f42708c6b9
426eb717f940026d09ce6faa738e50ceb6598d333b63e8f31fd2783f8e54e025
446efd7f75edf9fe719cba9b130727f05f76fba3a07c0589cbf218d979d247ff
c6548884b516041752fc4156a50f084ca387b1e37e4f4668cd109058d924b197
dfad2c233c5e09bf31324e8079337c54d4e04e98726deaa7f3884eefbc702efc
eedfb3c2f7945caebd0b15522b59d6c7f01be17fecd6102fd76452ad4042f7b0

52-161-47-9.cprapid.com Open in urlscan Pro 52.161.47.9 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

8 Requests

13 %HTTPS

0 %IPv6

2 Domains

2 Subdomains

2 IPs

1 Countries

436 kBTransfer

433 kBSize

1 Cookies

4 Outgoing links

Page URL History

Redirected requests

8 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

9 JavaScript Global Variables

1 Cookies

Indicators

52-161-47-9.cprapid.com Open in urlscan Pro
52.161.47.9 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

8
Requests

13 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

2
IPs

1
Countries

436 kB
Transfer

433 kB
Size

1
Cookies

8 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!