www.nordea.securetransactions.info Open in urlscan Pro
198.251.88.188 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

URL:
https://www.nordea.securetransactions.info/
Submission: On May 14 via manual (May 14th 2024, 10:07:13 am UTC) from DE — Scanned from DE

Summary HTTP 12 Redirects Links 5 Behaviour Indicators

Summary

This website contacted 2 IPs in 1 countries across 2 domains to perform 12 HTTP transactions. The main IP is 198.251.88.188, located in Luxembourg, Luxembourg and belongs to PONYNET, US. The main domain is www.nordea.securetransactions.info.
TLS certificate: Issued by R3 on April 29th 2024. Valid for: 3 months.

This is the only time www.nordea.securetransactions.info was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Nordea (Banking)

Domain & IP information

	IP Address		AS Autonomous System
9	198.251.88.188 198.251.88.188		53667 (PONYNET) (PONYNET)
12	2

9 198.251.88.188 (Luxembourg, Luxembourg)

ASN53667 (PONYNET, US)
PTR: c4.my-control-panel.com

www.nordea.securetransactions.info	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
9	securetransactions.info www.nordea.securetransactions.info	369 KB
0	herokuapp.com Failed api-world-d8c5917b0a3d.herokuapp.com Failed
12	2

	Domain	Requested by
9	www.nordea.securetransactions.info	www.nordea.securetransactions.info
0	api-world-d8c5917b0a3d.herokuapp.com Failed	www.nordea.securetransactions.info
12	2

This site contains links to these domains. Also see Links.

Domain
www.nordea.se

Subject Issuer	Validity	Valid
www.seb.securetransactions.info R3	`2024-04-29` - `2024-07-28`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://www.nordea.securetransactions.info/
Frame ID: 58517FD056EB50EC732604861352F429
Requests: 12 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Login

Page Statistics

12
Requests

75 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

2
IPs

1
Countries

369 kB
Transfer

728 kB
Size

1
Cookies

5 Outgoing links

These are links going to different origins than the main page.

URL: http://www.nordea.se/om-nordea/behandling-av-personuppgifter.html
Title: Behandling av personuppgifter

Search URL Search Domain Scan URL

URL: http://www.nordea.se/om-nordea/sakerhet-bedrageri.html
Title: Läs mer om säkerhetÖppnas i nytt fönster

Search URL Search Domain Scan URL

URL: https://www.nordea.se/privat/cookies.html
Title: Läs mer om cookiesÖppnas i nytt fönster

Search URL Search Domain Scan URL

URL: https://www.nordea.se/privat/kundservice/kom-igang-internetbanken.html
Title: nordea.se/nätbankstips.

Search URL Search Domain Scan URL

URL: https://www.nordea.se/privat/produkter/mobilbank-internetbank/mobilt-bankid.html
Title: nordea.se/mobiltbankid.

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

12 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request / Show response www.nordea.securetransactions.info/	606 B 518 B	761ms 503ms	Document text/html	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Full URL https://www.nordea.securetransactions.info/ Protocol H2 Security TLS 1.3, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `9b12e3243dee7aff04d6aa5ced578138352aa5df08a74d6c656b3bd4ef09c9f3` Request headers Accept-Language de-DE,de;q=0.9;q=0.9 Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers accept-ranges bytes alt-svc h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" content-encoding br content-length 264 content-type text/html date Tue, 14 May 2024 10:07:06 GMT last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed vary Accept-Encoding
GET H2	200	main.c03286be.js Show response www.nordea.securetransactions.info/static/js/	380 KB 117 KB	102ms 101ms	Script text/javascript	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Full URL https://www.nordea.securetransactions.info/static/js/main.c03286be.js Requested by Host: www.nordea.securetransactions.info URL: https://www.nordea.securetransactions.info/ Protocol H2 Security TLS 1.3, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `4dbb9685031dd1b2fe96aa9df394949d406c3ca938cf489919f977f7d4da4b27` Request headers Accept-Language de-DE,de;q=0.9;q=0.9 Referer https://www.nordea.securetransactions.info/ User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:07 GMT content-encoding br last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed vary Accept-Encoding content-type text/javascript accept-ranges bytes content-length 119469
GET H2	200	main.47459b6e.css www.nordea.securetransactions.info/static/css/	24 KB 5 KB	101ms 101ms	Stylesheet text/css	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Full URL https://www.nordea.securetransactions.info/static/css/main.47459b6e.css Requested by Host: www.nordea.securetransactions.info URL: https://www.nordea.securetransactions.info/ Protocol H2 Security TLS 1.3, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `b3b71a6cc4563e96c5ea22d44fdab6389bef2b9a0b52e64e5793ada7e0fd2c06` Request headers Accept-Language de-DE,de;q=0.9;q=0.9 Referer https://www.nordea.securetransactions.info/ User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:07 GMT content-encoding br last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed vary Accept-Encoding content-type text/css cache-control public, max-age=604800 accept-ranges bytes content-length 5271 expires Tue, 21 May 2024 10:07:07 GMT
GET		/ api-world-d8c5917b0a3d.herokuapp.com/socket.io/	0 0

GET H3	200	new_customer_bg.75cd8f7c2084b0ddbee54d2f22aa7f86.svg www.nordea.securetransactions.info/static/media/	250 B 345 B	318ms 318ms	Image image/svg+xml	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Show image Full URL https://www.nordea.securetransactions.info/static/media/new_customer_bg.75cd8f7c2084b0ddbee54d2f22aa7f86.svg Protocol H3 Security QUIC, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `9d37394dbeca75299e77738f7cb0304bbcd30a229e806fe21d4d58eb61231c68` Request headers Accept-Language de-DE,de;q=0.9;q=0.9 Referer https://www.nordea.securetransactions.info/login User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:09 GMT content-encoding br last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed vary Accept-Encoding content-type image/svg+xml cache-control public, max-age=604800 accept-ranges bytes alt-svc h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" content-length 173 expires Tue, 21 May 2024 10:07:09 GMT
GET H3	200	new_customer.59298dbaf0ddc1bcd1c6a716c9a7a33c.svg www.nordea.securetransactions.info/static/media/	6 KB 2 KB	305ms 305ms	Image image/svg+xml	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Show image Full URL https://www.nordea.securetransactions.info/static/media/new_customer.59298dbaf0ddc1bcd1c6a716c9a7a33c.svg Protocol H3 Security QUIC, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `b66d265f010f8c27f0640042b44c99c6fb3ee5325f0dd4c8187042132396428b` Request headers Accept-Language de-DE,de;q=0.9;q=0.9 Referer https://www.nordea.securetransactions.info/login User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:09 GMT content-encoding br last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed vary Accept-Encoding content-type image/svg+xml cache-control public, max-age=604800 accept-ranges bytes content-length 2156 expires Tue, 21 May 2024 10:07:09 GMT
GET H3	200	background.ff0f06dcf7f966cd4bbd.jpg www.nordea.securetransactions.info/static/media/	176 KB 177 KB	297ms 297ms	Image image/jpeg	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Show image Full URL https://www.nordea.securetransactions.info/static/media/background.ff0f06dcf7f966cd4bbd.jpg Protocol H3 Security QUIC, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `a4a6b4fe5e9321578d4b1df41108c3eee18554bbb5ed6b8ec4d98d3d4076f905` Request headers Accept-Language de-DE,de;q=0.9;q=0.9 Referer https://www.nordea.securetransactions.info/login User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:09 GMT last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed content-type image/jpeg cache-control public, max-age=604800 accept-ranges bytes content-length 180611 expires Tue, 21 May 2024 10:07:09 GMT
GET H3	200	nordea-sans.1273415d7fcec00621e0.ttf www.nordea.securetransactions.info/static/media/	71 KB 34 KB	156ms 155ms	Font font/ttf	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Full URL https://www.nordea.securetransactions.info/static/media/nordea-sans.1273415d7fcec00621e0.ttf Requested by Host: www.nordea.securetransactions.info URL: https://www.nordea.securetransactions.info/static/css/main.47459b6e.css Protocol H3 Security QUIC, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `1803077f02945c4a89476392df4246048e2a18b2e46e11978fdad93db5ace4ca` Request headers Referer https://www.nordea.securetransactions.info/static/css/main.47459b6e.css Origin https://www.nordea.securetransactions.info Accept-Language de-DE,de;q=0.9;q=0.9 User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:09 GMT content-encoding br last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed vary Accept-Encoding content-type font/ttf cache-control public, max-age=604800 accept-ranges bytes content-length 35016 expires Tue, 21 May 2024 10:07:09 GMT
GET H3	200	NordeaSansSmall.b445af4a13e10c94e7d3.ttf www.nordea.securetransactions.info/static/media/	68 KB 33 KB	135ms 135ms	Font font/ttf	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Full URL https://www.nordea.securetransactions.info/static/media/NordeaSansSmall.b445af4a13e10c94e7d3.ttf Requested by Host: www.nordea.securetransactions.info URL: https://www.nordea.securetransactions.info/static/css/main.47459b6e.css Protocol H3 Security QUIC, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `bdf9cd9c908916a8cfc5169a3fcb1585f79e7629ef100b4cbc46f81c08d94aa2` Request headers Referer https://www.nordea.securetransactions.info/static/css/main.47459b6e.css Origin https://www.nordea.securetransactions.info Accept-Language de-DE,de;q=0.9;q=0.9 User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:09 GMT content-encoding br last-modified Thu, 11 Apr 2024 08:33:44 GMT server LiteSpeed vary Accept-Encoding content-type font/ttf cache-control public, max-age=604800 accept-ranges bytes content-length 33874 expires Tue, 21 May 2024 10:07:09 GMT
GET H3	200	favicon.ico www.nordea.securetransactions.info/	1 KB 203 B	110ms 110ms	Other image/x-icon	198.251.88.188 PONYNET
General Check archive.org Show headers Download Go to Full URL https://www.nordea.securetransactions.info/favicon.ico Protocol H3 Security QUIC, , AES_128_GCM Server 198.251.88.188 Luxembourg, Luxembourg, ASN53667 (PONYNET, US), Reverse DNS c4.my-control-panel.com Software LiteSpeed / Resource Hash `53ce944ce5a3a9a312816854b4254f5b083d562c45ac63354a00add50fb88cdb` Request headers Accept-Language de-DE,de;q=0.9;q=0.9 Referer https://www.nordea.securetransactions.info/login User-Agent Mozilla/5.0 (Linux; Android 11) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Mobile Safari/537.36 Response headers date Tue, 14 May 2024 10:07:09 GMT content-encoding br last-modified Thu, 28 Dec 2023 20:01:56 GMT server LiteSpeed vary Accept-Encoding content-type image/x-icon cache-control public, max-age=604800 accept-ranges bytes content-length 147 expires Tue, 21 May 2024 10:07:09 GMT
GET		/ api-world-d8c5917b0a3d.herokuapp.com/socket.io/	0 0

GET		/ api-world-d8c5917b0a3d.herokuapp.com/socket.io/	0 0

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain: api-world-d8c5917b0a3d.herokuapp.com
URL: https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaVf9

Domain: api-world-d8c5917b0a3d.herokuapp.com
URL: https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaW1f

Domain: api-world-d8c5917b0a3d.herokuapp.com
URL: https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaWNB

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Nordea (Banking)

1 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| platform

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			www.nordea.securetransactions.info/	1970-01-20 20:39:00	Name: nord_session_id Value: 2939b9c8-09e2-49f2-8ccd-678dfe3760d3

6 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
javascript	error	URL: https://www.nordea.securetransactions.info/login Message: Access to XMLHttpRequest at 'https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaVf9' from origin 'https://www.nordea.securetransactions.info' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
network	error	URL: https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaVf9 Message: Failed to load resource: net::ERR_FAILED
javascript	error	URL: https://www.nordea.securetransactions.info/login Message: Access to XMLHttpRequest at 'https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaW1f' from origin 'https://www.nordea.securetransactions.info' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
network	error	URL: https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaW1f Message: Failed to load resource: net::ERR_FAILED
javascript	error	URL: https://www.nordea.securetransactions.info/login Message: Access to XMLHttpRequest at 'https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaWNB' from origin 'https://www.nordea.securetransactions.info' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
network	error	URL: https://api-world-d8c5917b0a3d.herokuapp.com/socket.io/?EIO=4&transport=polling&t=OzsaWNB Message: Failed to load resource: net::ERR_FAILED

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

api-world-d8c5917b0a3d.herokuapp.com
www.nordea.securetransactions.info
api-world-d8c5917b0a3d.herokuapp.com
198.251.88.188
1803077f02945c4a89476392df4246048e2a18b2e46e11978fdad93db5ace4ca
4dbb9685031dd1b2fe96aa9df394949d406c3ca938cf489919f977f7d4da4b27
53ce944ce5a3a9a312816854b4254f5b083d562c45ac63354a00add50fb88cdb
9b12e3243dee7aff04d6aa5ced578138352aa5df08a74d6c656b3bd4ef09c9f3
9d37394dbeca75299e77738f7cb0304bbcd30a229e806fe21d4d58eb61231c68
a4a6b4fe5e9321578d4b1df41108c3eee18554bbb5ed6b8ec4d98d3d4076f905
b3b71a6cc4563e96c5ea22d44fdab6389bef2b9a0b52e64e5793ada7e0fd2c06
b66d265f010f8c27f0640042b44c99c6fb3ee5325f0dd4c8187042132396428b
bdf9cd9c908916a8cfc5169a3fcb1585f79e7629ef100b4cbc46f81c08d94aa2

www.nordea.securetransactions.info Open in urlscan Pro 198.251.88.188 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page Statistics

12 Requests

75 %HTTPS

0 %IPv6

2 Domains

2 Subdomains

2 IPs

1 Countries

369 kBTransfer

728 kBSize

1 Cookies

5 Outgoing links

Redirected requests

12 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Failed requests

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

1 JavaScript Global Variables

1 Cookies

6 Console Messages

Indicators

www.nordea.securetransactions.info Open in urlscan Pro
198.251.88.188 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

12
Requests

75 %
HTTPS

0 %
IPv6

2
Domains

2
Subdomains

2
IPs

1
Countries

369 kB
Transfer

728 kB
Size

1
Cookies

12 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!