Report - citizens-login.ddns.net/

Report Overview

Submitted URL
citizens-login.ddns.net/
IP
20.213.243.40
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK
Submitted
2023-02-23 17:33:56
Access
Website Title
Final URL
Tags
citizens financial phishing dyndns
urlquery detections
Phishing - Citizens Bank
Suspicious - DynDNS domain

Detections

urlquery
85
Network Intrusion Detection
34
Threat Detection Systems
0

Domain Summary

Domain / FQDN	Rank	First Seen	Last Seen	Sent	Received	IP
getpocket.cdn.mozilla.net	1369	2018-08-28T15:15:36Z	2023-03-14T05:09:37Z	435 B	49 kB	34.120.5.221
ocsp.digicert.com	86	2012-05-21T09:02:23Z	2023-03-14T08:09:39Z	341 B	736 B	93.184.220.29
shavar.services.mozilla.com	3602	2015-09-28T08:30:01Z	2023-03-14T05:09:38Z	453 B	204 B	44.235.246.235
push.services.mozilla.com	2140	2014-10-24T10:27:06Z	2023-03-14T05:09:38Z	606 B	127 B	34.223.14.23
citizens-login.ddns.net	unknown	2023-02-23T16:52:12Z	2023-02-23T16:52:12Z	14 kB	332 kB	20.213.243.40
detectportal.firefox.com	1601	2018-08-30T11:52:03Z	2023-03-14T05:09:38Z	606 B	428 B	34.107.221.82
r3.o.lencr.org	344	2020-12-02T09:52:13Z	2023-03-14T05:09:04Z	3.7 kB	9.7 kB	23.36.77.32
firefox.settings.services.mozilla.com	867	2020-06-04T22:08:41Z	2023-03-13T18:13:28Z	8.1 kB	291 kB	35.241.9.150
firefox-settings-attachments.cdn.mozilla.net	11509	2019-11-30T10:32:57Z	2023-03-14T05:09:39Z	412 B	808 kB	34.111.73.144
img-getpocket.cdn.mozilla.net	1631	2018-06-22T01:36:00Z	2023-03-13T05:09:16Z	3.2 kB	56 kB	34.120.237.76
content-signature-2.cdn.mozilla.net	1152	2020-11-03T13:26:46Z	2023-03-14T05:09:37Z	1.3 kB	18 kB	34.160.144.191
contile.services.mozilla.com	1114	2021-05-27T20:32:35Z	2023-03-14T05:09:37Z	333 B	391 B	34.117.237.239

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2023-02-23 17:33:56	medium	Client IP	Internal IP	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2023-02-23 17:33:56	medium	Client IP	Internal IP	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2023-02-23 17:33:57	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:33:58	medium	Client IP	Internal IP	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2023-02-23 17:33:58	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:33:58	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:00	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:00	low	20.213.243.40	Client IP	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
2023-02-23 17:34:00	low	20.213.243.40	Client IP	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
2023-02-23 17:34:00	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:00	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:00	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:00	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:00	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:00	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:01	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:02	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:02	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
2023-02-23 17:34:02	medium	Client IP	20.213.243.40	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

Threat Detection Systems

OpenPhish

No alerts detected

PhishTank

No alerts detected

Fortinet's Web Filter

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

JavaScript (2)

	URL	Size	First Seen	Last Seen
	citizens-login.ddns.net/	990 B	2023-03-14	2023-03-14
Pretty URL citizens-login.ddns.net/ IP 20.213.243.40 ASN #8075 MICROSOFT-CORP-MSN-AS-BLOCK Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-14 09:10:25 Last Seen2023-03-14 09:10:25 Times Seen1 Hash b45a55a800ff7066230b0b38b75e7cdf ceaefe3003d082561ab5fe468e65285fa8724151 014e2634a21d08521bc8264991928f93446c0eabb8c4c173d1e9d6790e9b62ed Loading...

	citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309	1.2 kB	2023-03-08	2024-01-13
Pretty URL citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309 IP 20.213.243.40 ASN #8075 MICROSOFT-CORP-MSN-AS-BLOCK Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-08 09:14:06 Last Seen2024-01-13 14:37:27 Times Seen3 Hash 76e3682a0d7853829fb8713a87bc1c67 5c6188791d212bab60e258ba68ad2826a4a17549 be9e098228b76ba4a09cf2c8ea67090f9122ad494099914ff02dd43e5c577afe Loading...

HTTP Transactions (74)

URL IP Response Size

detectportal.firefox.com/success.txt?ipv4

34.107.221.82

200 OK

8 B

URL HTTP/1.1
detectportal.firefox.com/success.txt?ipv4
IP
34.107.221.82:0
ASN
#15169 GOOGLE

File type
ASCII text
Size
8 B (8 bytes)
Hash
ae780585f49b94ce1444eb7d28906123
7d5ca8c0c03e883c56c4eb1ef6f6bb9bccad4d86
81b2bd4ea98c8db66554fbc8d7637a1a69a130f331feb732b75caab4c4868fd5

HTTP Headers

GET /success.txt?ipv4 HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Length: 8
Via: 1.1 google
Date: Thu, 23 Feb 2023 14:02:14 GMT
Age: 12682
Content-Type: text/plain
Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
67fc460ed2f69dde3c410ec607ef3510
ba9f582ec321351e5c06c9b2c381f06b685ef274
85df74fac7d59d76840b6359bac24648fede201c0048f2a8382af6468225ffb8

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "85DF74FAC7D59D76840B6359BAC24648FEDE201C0048F2A8382AF6468225FFB8"
Last-Modified: Wed, 22 Feb 2023 18:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=2869
Expires: Thu, 23 Feb 2023 18:21:26 GMT
Date: Thu, 23 Feb 2023 17:33:37 GMT
Connection: keep-alive

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
3bf2985444924fcb7c28583d95fe3e07
95b5b25c5e28758f16327475be944d68ba858b4d
1e1b4f9fd2e5b5c38916cea3f07edc4abe897defb9db47123d374bc979cad933

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "1E1B4F9FD2E5B5C38916CEA3F07EDC4ABE897DEFB9DB47123D374BC979CAD933"
Last-Modified: Wed, 22 Feb 2023 17:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21481
Expires: Thu, 23 Feb 2023 23:31:38 GMT
Date: Thu, 23 Feb 2023 17:33:37 GMT
Connection: keep-alive

getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=NO&count=30

34.120.5.221

200 OK

48 kB

URL HTTP/2
getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=NO&count=30
IP
34.120.5.221:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (65536), with no line terminators
Size
48 kB (48451 bytes)
Hash
8ac0567ab6bc390c513e3ed287c9323d
b89b3844be1012330c39842aa7af4652f1f088a2
7772c0791f9a12dd3b7306b817af2ab6626b8f09909f712a475a6e8addca0131

HTTP Headers

GET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US&region=NO&count=30 HTTP/1.1
Host: getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
content-location: global-recs.php
tcn: choice
x-frame-options: SAMEORIGIN
status: 200 OK
x-source: Pocket
pragma: cache
p3p: policyref="/w3c/p3p.xml", CP="ALL CURa ADMa DEVa OUR IND UNI COM NAV INT STA PRE"
x-cache: Hit from cloudfront
x-amz-cf-pop: SEA73-P2
x-amz-cf-id: mQksKWaG7lbi_gIXdAyWTejDTrkqu2-yVbTds7QA6Om2HMPf7T_3iw==
content-encoding: gzip
via: 1.1 d8d9c12d1a621129f4bc739038e7c72e.cloudfront.net (CloudFront), 1.1 google
date: Thu, 23 Feb 2023 17:22:45 GMT
age: 652
content-type: application/json
vary: Accept-Encoding
content-length: 48451
cache-control: s-maxage=900,public,max-age=3600
alt-svc: clear
X-Firefox-Spdy: h2

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
7fb59e5d3cdf08b94e5f41fdeb9aec6c
ff644039db3b9f74d7e2fab10f93581bea10614a
861573a00d75364e15783c5e448c4f8b4da48b38d9beba3ebd33a87f993489a5

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "861573A00D75364E15783C5E448C4F8B4DA48B38D9BEBA3EBD33A87F993489A5"
Last-Modified: Wed, 22 Feb 2023 18:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=4059
Expires: Thu, 23 Feb 2023 18:41:16 GMT
Date: Thu, 23 Feb 2023 17:33:37 GMT
Connection: keep-alive

content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2022-11-19-18-50-54.chain

34.160.144.191

200 OK

5.3 kB

URL HTTP/2
content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2022-11-19-18-50-54.chain
IP
34.160.144.191:0
ASN
#15169 GOOGLE

File type
PEM certificate\012- , ASCII text
Size
5.3 kB (5348 bytes)
Hash
67d5a988edcda47bc3b3b3f65d32b4b6
d4f0e0da8b3690cc7da925026d3414b68c7d954f
55e4848e3ec682e808ce7ee70950f86179c43af4f81926d826a95edfda395a78

HTTP Headers

GET /chains/remote-settings.content-signature.mozilla.org-2022-11-19-18-50-54.chain HTTP/1.1
Host: content-signature-2.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
x-amz-id-2: PFtDgJzEikVLCi4gqXznd/rW7xu/4Oa9vraPsMJiBi0RJuOzu0cKvy0/hJx5mXYiY0rEx03e4qI=
x-amz-request-id: EW9ZM34AQGZVC4D7
content-disposition: attachment
accept-ranges: bytes
server: AmazonS3
content-length: 5348
via: 1.1 google
date: Thu, 23 Feb 2023 17:21:09 GMT
age: 748
last-modified: Fri, 30 Sep 2022 18:50:55 GMT
etag: "67d5a988edcda47bc3b3b3f65d32b4b6"
content-type: binary/octet-stream
cache-control: public,max-age=3600
alt-svc: clear
X-Firefox-Spdy: h2

contile.services.mozilla.com/v1/tiles

34.117.237.239

200 OK

12 B

URL HTTP/2
contile.services.mozilla.com/v1/tiles
IP
34.117.237.239:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with no line terminators
Size
12 B (12 bytes)
Hash
23e88fb7b99543fb33315b29b1fad9d6
a48926c4ec03c7c8a4e8dffcd31e5a6cdda417ce
7d8f1de8b7de7bc21dfb546a1d0c51bf31f16eee5fad49dbceae1e76da38e5c3

HTTP Headers

GET /v1/tiles HTTP/1.1
Host: contile.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
date: Thu, 23 Feb 2023 17:33:37 GMT
content-type: application/json
content-length: 12
access-control-allow-credentials: true
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
access-control-expose-headers: content-type
strict-transport-security: max-age=31536000
via: 1.1 google
alt-svc: clear
X-Firefox-Spdy: h2

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
6eb0a77aa4a20639a06d9621742007c2
d2d03beeb111049117b70d5f3dff3698a671ef8a
62c2da0800bf8efb6bb985b2eb046fa863e0b394681fb2ab187a9c4836fbd320

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "62C2DA0800BF8EFB6BB985B2EB046FA863E0B394681FB2AB187A9C4836FBD320"
Last-Modified: Wed, 22 Feb 2023 18:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=10454
Expires: Thu, 23 Feb 2023 20:27:51 GMT
Date: Thu, 23 Feb 2023 17:33:37 GMT
Connection: keep-alive

firefox.settings.services.mozilla.com/v1/

35.241.9.150

200 OK

939 B

URL HTTP/2
firefox.settings.services.mozilla.com/v1/
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (939), with no line terminators
Size
939 B (939 bytes)
Hash
4ad6984a756720fbfff47b37a75513a2
355e35258114452af8b9638985ed9d8ef3bf0aca
43181fccb10652c68cae86e5e32b4e8f426fb5ad49d8125cb99e072cff573cf5

HTTP Headers

GET /v1/ HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Alert, Retry-After, Content-Type, Content-Length, Backoff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 939
via: 1.1 google
date: Thu, 23 Feb 2023 16:53:56 GMT
content-type: application/json
age: 2381
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
4aaa1f1be68ba53b441e577dcbf8b7c1
618b2e62b7f2feb82093a3706573e18ff9f69827
8d3978b35fd96458b8fff71c9dbb47ab616dfd49d669027fd6c5a52a4e9bafa0

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "8D3978B35FD96458B8FFF71C9DBB47AB616DFD49D669027FD6C5A52A4E9BAFA0"
Last-Modified: Wed, 22 Feb 2023 17:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=16823
Expires: Thu, 23 Feb 2023 22:14:00 GMT
Date: Thu, 23 Feb 2023 17:33:37 GMT
Connection: keep-alive

ocsp.digicert.com/

93.184.220.29

200 OK

471 B

URL HTTP/1.1
ocsp.digicert.com/
IP
93.184.220.29:0
ASN
#15133 EDGECAST

File type
data
Size
471 B (471 bytes)
Hash
9a3bc1e0504f52e0a5eb92b0b737f94b
b45a4ed33a3f3419454c85fb77f72d5535f8b032
3cd7ab8bda571137ad7c9a2f8fbf04cb2525e4e0ed02d27948090f8a36e2c444

HTTP Headers

POST / HTTP/1.1
Host: ocsp.digicert.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 83
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 713
Cache-Control: 'max-age=158059'
Content-Type: application/ocsp-response
Date: Thu, 23 Feb 2023 17:33:37 GMT
Last-Modified: Thu, 23 Feb 2023 17:21:44 GMT
Server: ECS (ska/F70B)
X-Cache: HIT
Content-Length: 471

firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US

35.241.9.150

200 OK

329 B

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (329), with no line terminators
Size
329 B (329 bytes)
Hash
0333b0655111aa68de771adfcc4db243
63f295a144ac87a7c8e23417626724eeca68a7eb
60636eb1dc67c9ed000fe0b49f03777ad6f549cb1d2b9ff010cf198465ae6300

HTTP Headers

GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Retry-After, Content-Length, Alert, Expires, Last-Modified, Cache-Control, ETag, Backoff, Content-Type, Pragma
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 329
via: 1.1 google
date: Thu, 23 Feb 2023 17:20:35 GMT
age: 782
last-modified: Fri, 25 Mar 2022 17:45:46 GMT
etag: "1648230346554"
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

shavar.services.mozilla.com/downloads?client=Firefox&appver=96.0a&pver=2.2

44.235.246.235

200 OK

8 B

URL HTTP/1.1
shavar.services.mozilla.com/downloads?client=Firefox&appver=96.0a&pver=2.2
IP
44.235.246.235:0
ASN
#16509 AMAZON-02

File type
ASCII text
Size
8 B (8 bytes)
Hash
29fc57841962e407cb50c1be60284bf7
ce968a77e2996da5eee8925182318f171ccdce47
ae7e7075247dcfad763f1e131aeac3d2e756bb03d48b0d315a50c69636e5dc8b

HTTP Headers

POST /downloads?client=Firefox&appver=96.0a&pver=2.2 HTTP/1.1
Host: shavar.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain
Content-Length: 773
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: none
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Thu, 23 Feb 2023 17:33:37 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 8
Connection: Close

push.services.mozilla.com/

34.223.14.23

101 Switching Protocols

0 B

URL HTTP/1.1
push.services.mozilla.com/
IP
34.223.14.23:0
ASN
#16509 AMAZON-02

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET / HTTP/1.1
Host: push.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 13
Origin: wss://push.services.mozilla.com/
Sec-WebSocket-Protocol: push-notification
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: ty2vvOxVDFDLw12Ing4bVA==
Connection: keep-alive, Upgrade
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: ca9GZvXYS3LR7mHt596sA6cXuTA=

firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expected=%221677173140244%22

35.241.9.150

200 OK

22 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?_expected=%221677173140244%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (21681), with no line terminators
Size
22 kB (21681 bytes)
Hash
301a5edb89f5bce28ab09e4f71da11cc
916c6678184d4614a32dcadb8e1e23953663b9c7
c89d0da707f648f99dc2646838dadfe3661f00e388f83c83d3074b759d28a3d6

HTTP Headers

GET /v1/buckets/monitor/collections/changes/changeset?_expected=%221677173140244%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Retry-After, Content-Length, Alert, Backoff, Content-Type
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 21681
via: 1.1 google
date: Thu, 23 Feb 2023 17:27:08 GMT
last-modified: Thu, 23 Feb 2023 17:25:40 GMT
content-type: application/json
age: 390
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

citizens-login.ddns.net/

20.213.243.40

200 OK

4.0 kB

URL HTTP/1.1
citizens-login.ddns.net/
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, Unicode text, UTF-8 text, with very long lines (984)
Size
4.0 kB (3995 bytes)
Hash
ac89d2ac1b5e4913b157fc82d43a7120
022975c2d8bb531d50596fdddb66f0c7526914cf
7d8eccb958e78165c99e34836dcd185b909782dbd6230c9704a2679a0b2dae6e

Detections

Analyzer	Verdict	Alert
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
suricata	low	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
suricata	low	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3

HTTP Headers

GET / HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:37 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons-bloomfilters/changeset?_expected=1677069440866&_since=%221666204638208%22

35.241.9.150

200 OK

33 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons-bloomfilters/changeset?_expected=1677069440866&_since=%221666204638208%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (32643), with no line terminators
Size
33 kB (32643 bytes)
Hash
111a124bfe0fcca1d00eacc4056304c0
09f7b2abd4d09de09db0e11add552e995346c23c
3dfc4c61e3f4a5d95c359d2914ec2dcf4bfc413116dec9b98bc104ecc9f446bf

HTTP Headers

GET /v1/buckets/blocklists/collections/addons-bloomfilters/changeset?_expected=1677069440866&_since=%221666204638208%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Alert, Retry-After, Content-Type, Content-Length, Backoff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 32643
via: 1.1 google
date: Thu, 23 Feb 2023 17:15:26 GMT
age: 1092
last-modified: Wed, 22 Feb 2023 12:37:20 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

detectportal.firefox.com/success.txt?ipv4

34.107.221.82

200 OK

8 B

URL HTTP/1.1
detectportal.firefox.com/success.txt?ipv4
IP
34.107.221.82:0
ASN
#15169 GOOGLE

File type
ASCII text
Size
8 B (8 bytes)
Hash
ae780585f49b94ce1444eb7d28906123
7d5ca8c0c03e883c56c4eb1ef6f6bb9bccad4d86
81b2bd4ea98c8db66554fbc8d7637a1a69a130f331feb732b75caab4c4868fd5

HTTP Headers

GET /success.txt?ipv4 HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Length: 8
Via: 1.1 google
Date: Thu, 23 Feb 2023 14:02:14 GMT
Age: 12684
Content-Type: text/plain
Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600

content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2023-04-09-20-28-26.chain

34.160.144.191

200 OK

5.3 kB

URL HTTP/2
content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2023-04-09-20-28-26.chain
IP
34.160.144.191:0
ASN
#15169 GOOGLE

File type
PEM certificate\012- , ASCII text
Size
5.3 kB (5348 bytes)
Hash
b5ba6334e73496995e3e3a9ecd0eb323
ad80d3b7718c28364e8c2004fb38a13a1747e462
aa5abb52515c6383c014aadb63a86c9f798ad64de53c0218616c1fc6d424d2e2

HTTP Headers

GET /chains/remote-settings.content-signature.mozilla.org-2023-04-09-20-28-26.chain HTTP/1.1
Host: content-signature-2.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
x-amz-id-2: 0Td6Go35fTHYsPkXkdal+dJjW7qgtzautVrcMh5wQKV/Ub6jEARySAX6r6pZbsGWwyKXD+HH99g=
x-amz-request-id: GMGPRJTGKNBG59EM
x-amz-server-side-encryption: AES256
content-disposition: attachment
accept-ranges: bytes
server: AmazonS3
content-length: 5348
via: 1.1 google
date: Thu, 23 Feb 2023 16:49:19 GMT
age: 2659
last-modified: Sat, 18 Feb 2023 20:28:27 GMT
etag: "b5ba6334e73496995e3e3a9ecd0eb323"
content-type: binary/octet-stream
cache-control: public,max-age=3600
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/

35.241.9.150

200 OK

939 B

URL HTTP/2
firefox.settings.services.mozilla.com/v1/
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (939), with no line terminators
Size
939 B (939 bytes)
Hash
4ad6984a756720fbfff47b37a75513a2
355e35258114452af8b9638985ed9d8ef3bf0aca
43181fccb10652c68cae86e5e32b4e8f426fb5ad49d8125cb99e072cff573cf5

HTTP Headers

GET /v1/ HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Alert, Retry-After, Content-Type, Content-Length, Backoff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 939
via: 1.1 google
date: Thu, 23 Feb 2023 16:53:56 GMT
content-type: application/json
age: 2382
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
135606a5e990506b3e92eda82ef79170
a3de3c800534ad64b2e2198941e3911a4e51df8e
558ce08e84a4581859ae4302371540e4240e0b85866e37fb03174786388d5546

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "558CE08E84A4581859AE4302371540E4240E0B85866E37FB03174786388D5546"
Last-Modified: Wed, 22 Feb 2023 18:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=4841
Expires: Thu, 23 Feb 2023 18:54:19 GMT
Date: Thu, 23 Feb 2023 17:33:38 GMT
Connection: keep-alive

firefox-settings-attachments.cdn.mozilla.net/staging/addons-bloomfilters/8038652a-6557-460a-858c-84f19a5a0987.bin

34.111.73.144

200 OK

807 kB

URL HTTP/2
firefox-settings-attachments.cdn.mozilla.net/staging/addons-bloomfilters/8038652a-6557-460a-858c-84f19a5a0987.bin
IP
34.111.73.144:0
ASN
#15169 GOOGLE

File type
data
Size
807 kB (807180 bytes)
Hash
914be443bdfbe8a1c3ded61e1c114bd6
4fe7c5ff83f6a29e6699f4cebc17550891504661
41b036d0c889509d547296b238027a063c313261ad52d5f7bb81922011791857

HTTP Headers

GET /staging/addons-bloomfilters/8038652a-6557-460a-858c-84f19a5a0987.bin HTTP/1.1
Host: firefox-settings-attachments.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
x-amz-id-2: W0BOTyhr4twUvOZ5PXzJJypgQYWSdxyiNIVbzii2sCr6bqxjFhob0vSInGW+A8Nz6kahQNDtgAM=
x-amz-request-id: 5VNAE12H3Z1T7YB6
x-amz-version-id: K1ODzappZsD35qeu0OM5zvs_BP1eybj7
accept-ranges: bytes
server: AmazonS3
content-length: 807180
via: 1.1 google
date: Thu, 23 Feb 2023 11:49:07 GMT
age: 20671
last-modified: Tue, 10 Jan 2023 12:38:46 GMT
etag: "914be443bdfbe8a1c3ded61e1c114bd6"
content-type: application/octet-stream
cache-control: public,max-age=604800
alt-svc: clear
X-Firefox-Spdy: h2

citizens-login.ddns.net/Guard/css/cf.css

20.213.243.40

200 OK

1.8 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/cf.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
ASCII text
Size
1.8 kB (1751 bytes)
Hash
667fbc35fdd4fd01035271307ed494b6
60e1fe58b0af83b4a326e1af93ca0ca2685d5011
6026255cc26e031389358227ccd1b7de6cba842c3978f9144d31cb30032276ef

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/cf.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:38 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:27:04 GMT
Accept-Ranges: bytes
Content-Length: 1751
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/css

firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/gfx/changeset?_expected=1676781773899&_since=%221643818378440%22

35.241.9.150

200 OK

6.0 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/gfx/changeset?_expected=1676781773899&_since=%221643818378440%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (5951), with no line terminators
Size
6.0 kB (5951 bytes)
Hash
84c45909a46631dec23c78a3a547ca95
b511f80ad0abe7a6f0ce8988a0b9275573665c9a
ce6af1c28962645f13129411c11c7f156f0cd9e282f5ef0146d5cbd84a4e2b7e

HTTP Headers

GET /v1/buckets/blocklists/collections/gfx/changeset?_expected=1676781773899&_since=%221643818378440%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Content-Length, Retry-After, Content-Type, Backoff, Alert
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 5951
via: 1.1 google
date: Thu, 23 Feb 2023 16:49:04 GMT
age: 2674
last-modified: Sun, 19 Feb 2023 04:42:53 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

citizens-login.ddns.net/Guard/img/favicon.png

20.213.243.40

200 OK

11 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/favicon.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced\012- data
Size
11 kB (10871 bytes)
Hash
f62b2664dd6a40ab3a9f7af34412f8b7
02438189257c795c3726e4f45b1ce3bb921255d5
707a3217546ca6852234cb3fa3b61f458581ca943b6195032ba9efe7e1e0ee5f

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/favicon.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:38 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 02:55:46 GMT
Accept-Ranges: bytes
Content-Length: 10871
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/png

firefox.settings.services.mozilla.com/v1/buckets/main/collections/nimbus-desktop-experiments/changeset?_expected=1677173140244&_since=%221666279968541%22

35.241.9.150

200 OK

121 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/nimbus-desktop-experiments/changeset?_expected=1677173140244&_since=%221666279968541%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
ASCII text, with very long lines (65536), with no line terminators
Size
121 kB (120782 bytes)
Hash
345319e334b75aa2d370cbf62898c30f
db63820726bf3cf2216773cf6a375cf1fa5a4087
04513089843499ead01a475a4222e61069504d04c5eee6452d33c2f7efb2aee4

HTTP Headers

GET /v1/buckets/main/collections/nimbus-desktop-experiments/changeset?_expected=1677173140244&_since=%221666279968541%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Alert, Retry-After, Content-Type, Content-Length, Backoff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
content-type: application/json
date: Thu, 23 Feb 2023 17:33:38 GMT
last-modified: Thu, 23 Feb 2023 17:25:40 GMT
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 120782
via: 1.1 google
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/changeset?_expected=1675353179510&_since=%221661199949574%22

35.241.9.150

200 OK

22 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/changeset?_expected=1675353179510&_since=%221661199949574%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (22469), with no line terminators
Size
22 kB (22469 bytes)
Hash
425afedfcc14985966587f0f3e415ec0
db17a2f0db73b98d7831b5e0e00a99497cd4c950
21a164b6bf201a5994aa157ceeb853feb637f626bf4fdb738bda78e6818b3f89

HTTP Headers

GET /v1/buckets/main/collections/search-config/changeset?_expected=1675353179510&_since=%221661199949574%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Retry-After, Content-Length, Alert, Backoff, Content-Type
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 22469
via: 1.1 google
date: Thu, 23 Feb 2023 17:09:45 GMT
last-modified: Thu, 23 Feb 2023 16:36:45 GMT
content-type: application/json
age: 1434
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/partitioning-exempt-urls/changeset?_expected=1675943045406&_since=%221657747510534%22

35.241.9.150

200 OK

2.4 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/partitioning-exempt-urls/changeset?_expected=1675943045406&_since=%221657747510534%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (2387), with no line terminators
Size
2.4 kB (2387 bytes)
Hash
ffc6488079ed80a847550c9639a3dcbb
c605ae42b2e5f24edd322ff3dedcdb59487e3ffe
54185fa9e3158fc0bf16e9fc85b801f488dec533221128b5e00a12425d22b9b2

HTTP Headers

GET /v1/buckets/main/collections/partitioning-exempt-urls/changeset?_expected=1675943045406&_since=%221657747510534%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Retry-After, Content-Length, Alert, Backoff, Content-Type
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 2387
via: 1.1 google
date: Thu, 23 Feb 2023 16:43:59 GMT
age: 2980
last-modified: Thu, 16 Feb 2023 16:36:43 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2023-03-20-18-44-46.chain

34.160.144.191

200 OK

5.3 kB

URL HTTP/2
content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2023-03-20-18-44-46.chain
IP
34.160.144.191:0
ASN
#15169 GOOGLE

File type
PEM certificate\012- , ASCII text
Size
5.3 kB (5348 bytes)
Hash
e76071a28ee566dababb3834f46d68ed
aebb4e68c1ba2de0f90025283e8ed8470944fde0
78b6df2627172e5b35476bc31020f02898cdc412aaf4337af2c3b049a60912b6

HTTP Headers

GET /chains/remote-settings.content-signature.mozilla.org-2023-03-20-18-44-46.chain HTTP/1.1
Host: content-signature-2.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
x-amz-id-2: uBA6nDkX6VwERZSiWn2xRxADB3ya2CCd14k8V098g36cht2PT/OUVjdUs720X89c1mfWYOAEAms=
x-amz-request-id: 3AQHJ3YBQ6YWMM11
x-amz-server-side-encryption: AES256
content-disposition: attachment
accept-ranges: bytes
server: AmazonS3
content-length: 5348
via: 1.1 google
date: Thu, 23 Feb 2023 17:23:42 GMT
age: 597
last-modified: Sun, 29 Jan 2023 18:44:47 GMT
etag: "e76071a28ee566dababb3834f46d68ed"
content-type: binary/octet-stream
cache-control: public,max-age=3600
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/hijack-blocklists?_expected=1605801189258

35.241.9.150

200 OK

681 B

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/hijack-blocklists?_expected=1605801189258
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (681), with no line terminators
Size
681 B (681 bytes)
Hash
b3c57c4bb39f0c7541d93ba82a5cd4c9
be92fd1cee01b4a8bb4174b0b11e53be649cd1a3
98e848e13f44cb1595f2f1882c734fd25761a0e8facae4e0c3dcff6f322a4000

HTTP Headers

GET /v1/buckets/main/collections/hijack-blocklists?_expected=1605801189258 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Content-Length, Retry-After, Content-Type, Last-Modified, Backoff, Alert, Cache-Control, ETag, Expires, Pragma
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 681
via: 1.1 google
date: Thu, 23 Feb 2023 16:55:11 GMT
last-modified: Wed, 22 Feb 2023 16:36:55 GMT
etag: "1677083815772"
content-type: application/json
age: 2308
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/query-stripping/changeset?_expected=1667238122278&_since=%221656585893704%22

35.241.9.150

200 OK

1.7 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/query-stripping/changeset?_expected=1667238122278&_since=%221656585893704%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (1718), with no line terminators
Size
1.7 kB (1718 bytes)
Hash
3cbf51bbaf8bb528a034989257447d86
8dd38651205ecdbf2c5093b3df5de8bd626c9d92
59a47ed5c562bad2d78d22af00951c1fdf4a6eb2066324e966dbe4525e64ec3f

HTTP Headers

GET /v1/buckets/main/collections/query-stripping/changeset?_expected=1667238122278&_since=%221656585893704%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Content-Length, Retry-After, Content-Type, Backoff, Alert
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 1718
via: 1.1 google
date: Thu, 23 Feb 2023 16:42:09 GMT
age: 3090
last-modified: Wed, 22 Feb 2023 16:36:47 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/language-dictionaries/changeset?_expected=1673270322227&_since=%221569410800356%22

35.241.9.150

200 OK

1.3 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/language-dictionaries/changeset?_expected=1673270322227&_since=%221569410800356%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (1250), with no line terminators
Size
1.3 kB (1250 bytes)
Hash
c9f7f64ea0e8fd2d1098afb18806601b
fac82a10d89a339d7970db44b47633465d7b16f8
e0ed15ed986855d3c7eec307e2333aeea9211c5c3d8849dabaa56395dbaec026

HTTP Headers

GET /v1/buckets/main/collections/language-dictionaries/changeset?_expected=1673270322227&_since=%221569410800356%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Alert, Retry-After, Content-Type, Content-Length, Backoff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 1250
via: 1.1 google
date: Thu, 23 Feb 2023 17:02:47 GMT
age: 1852
last-modified: Wed, 22 Feb 2023 16:36:45 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/password-recipes/changeset?_expected=1674595048726&_since=%221642005109349%22

35.241.9.150

200 OK

1.7 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/password-recipes/changeset?_expected=1674595048726&_since=%221642005109349%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (1743), with no line terminators
Size
1.7 kB (1743 bytes)
Hash
8d7098a815bd465cf003589b0703c6b0
202cba221e952763f4ccf8e16df65693d9098b44
8cf3d3a8263ffc0df70842cb3968feef260daaa2977cd450819a346d48712114

HTTP Headers

GET /v1/buckets/main/collections/password-recipes/changeset?_expected=1674595048726&_since=%221642005109349%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Retry-After, Content-Length, Alert, Backoff, Content-Type
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 1743
via: 1.1 google
date: Thu, 23 Feb 2023 16:39:25 GMT
age: 3254
last-modified: Wed, 22 Feb 2023 16:36:45 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
fe121133a6eaf8645743a14717612cd5
b9276c474ba3e40e5cc2921accb452bb7b11ecb2
4c72ab325e4608168d6258ba615ffc21f94a3594a8d1ef48f28b8622b198c27b

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "4C72AB325E4608168D6258BA615FFC21F94A3594A8D1EF48F28B8622B198C27B"
Last-Modified: Wed, 22 Feb 2023 17:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=2972
Expires: Thu, 23 Feb 2023 18:23:11 GMT
Date: Thu, 23 Feb 2023 17:33:39 GMT
Connection: keep-alive

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
fe121133a6eaf8645743a14717612cd5
b9276c474ba3e40e5cc2921accb452bb7b11ecb2
4c72ab325e4608168d6258ba615ffc21f94a3594a8d1ef48f28b8622b198c27b

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "4C72AB325E4608168D6258BA615FFC21F94A3594A8D1EF48F28B8622B198C27B"
Last-Modified: Wed, 22 Feb 2023 17:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=2972
Expires: Thu, 23 Feb 2023 18:23:11 GMT
Date: Thu, 23 Feb 2023 17:33:39 GMT
Connection: keep-alive

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
fe121133a6eaf8645743a14717612cd5
b9276c474ba3e40e5cc2921accb452bb7b11ecb2
4c72ab325e4608168d6258ba615ffc21f94a3594a8d1ef48f28b8622b198c27b

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "4C72AB325E4608168D6258BA615FFC21F94A3594A8D1EF48F28B8622B198C27B"
Last-Modified: Wed, 22 Feb 2023 17:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=2972
Expires: Thu, 23 Feb 2023 18:23:11 GMT
Date: Thu, 23 Feb 2023 17:33:39 GMT
Connection: keep-alive

r3.o.lencr.org/

23.36.76.226

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
cd04d923e6b3cbd7cac3c56d18ca9016
7d3205fb454124635afcbfcf2265ce504c778ef1
fc857fad800eb3c6f2a3f28007b1b81f2a95e4968d376f47238a681f9c958475

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "FC857FAD800EB3C6F2A3F28007B1B81F2A95E4968D376F47238A681F9C958475"
Last-Modified: Wed, 22 Feb 2023 18:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=9961
Expires: Thu, 23 Feb 2023 20:19:40 GMT
Date: Thu, 23 Feb 2023 17:33:39 GMT
Connection: keep-alive

r3.o.lencr.org/

23.36.77.32

200 OK

503 B

URL HTTP/1.1
r3.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
503 B (503 bytes)
Hash
fe121133a6eaf8645743a14717612cd5
b9276c474ba3e40e5cc2921accb452bb7b11ecb2
4c72ab325e4608168d6258ba615ffc21f94a3594a8d1ef48f28b8622b198c27b

HTTP Headers

POST / HTTP/1.1
Host: r3.o.lencr.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 503
ETag: "4C72AB325E4608168D6258BA615FFC21F94A3594A8D1EF48F28B8622B198C27B"
Last-Modified: Wed, 22 Feb 2023 17:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=2972
Expires: Thu, 23 Feb 2023 18:23:11 GMT
Date: Thu, 23 Feb 2023 17:33:39 GMT
Connection: keep-alive

img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F7e1f8718-617f-4cdb-9fab-ed40cbef6784.jpeg

34.120.237.76

200 OK

9.7 kB

URL HTTP/2
img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F7e1f8718-617f-4cdb-9fab-ed40cbef6784.jpeg
IP
34.120.237.76:0
ASN
#15169 GOOGLE

File type
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 296x148, components 3\012- data
Size
9.7 kB (9686 bytes)
Hash
cc56e7499a3e9db178e91df024e668f0
9cc85c16fd4a9d10df5db5ddfc54b0d88999f317
25ffc87e2be6e0dc9ac208aafbefa99bb4c1d6476c1447056b83d462cd182df2

HTTP Headers

GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F7e1f8718-617f-4cdb-9fab-ed40cbef6784.jpeg HTTP/1.1
Host: img-getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: null
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
content-length: 9686
x-amzn-requestid: f12fd84d-1be7-4b80-842c-e2111aa80806
x-xss-protection: 1; mode=block
access-control-allow-origin: *
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-frame-options: DENY
content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'
x-amz-apigw-id: ArYFqFzaoAMF2hg=
x-content-type-options: nosniff
x-amzn-trace-id: Root=1-63f46d57-5a17eba635156fc35184ff0d;Sampled=0
x-amzn-remapped-date: Tue, 21 Feb 2023 07:05:59 GMT
x-amz-cf-pop: SEA19-C2
x-cache: Miss from cloudfront
x-amz-cf-id: Y_b4w77w0mMq2Bzf0p7Ns-2vLEY7A0InmEcu9RxxpmHzJ3QdYLHypg==
via: 1.1 470e3fe246a660ba6ace67a79f78d246.cloudfront.net (CloudFront), 1.1 981753271eb5b6d11bc29d52f173a5da.cloudfront.net (CloudFront), 1.1 google
date: Thu, 23 Feb 2023 07:42:53 GMT
age: 35446
etag: "9cc85c16fd4a9d10df5db5ddfc54b0d88999f317"
content-type: image/jpeg
cache-control: max-age=3600,public,public
alt-svc: clear
X-Firefox-Spdy: h2

34.120.237.76

200 OK

7.7 kB

URL HTTP/2
img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F5f9477dd-9700-4cbd-8d0e-37bd76c53a93.jpeg
IP
34.120.237.76:0
ASN
#15169 GOOGLE

File type
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 296x148, components 3\012- data
Size
7.7 kB (7734 bytes)
Hash
e7cd1e9feb9abc7f7d7f0d5fc7b181f0
cf3ce1808c48e1a86910e16731a044f6cb26275d
426c90298d5a0807b7820d803ce2907268df1195e15d5582eb0ff2f3deeb318c

HTTP Headers

GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F5f9477dd-9700-4cbd-8d0e-37bd76c53a93.jpeg HTTP/1.1
Host: img-getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: null
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
content-length: 7734
x-amzn-requestid: fe4dc342-33b6-45f6-984c-2c71dfa0ec13
x-xss-protection: 1; mode=block
access-control-allow-origin: *
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-frame-options: DENY
content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'
x-amz-apigw-id: AtX-lGiJoAMFW3A=
x-content-type-options: nosniff
x-amzn-trace-id: Root=1-63f539f6-489049413f3cb63c537f20d0;Sampled=0
x-amzn-remapped-date: Tue, 21 Feb 2023 21:39:02 GMT
x-amz-cf-pop: SEA19-C2
x-cache: Hit from cloudfront
x-amz-cf-id: wrkzZEinm7SD60TVf2-zwKUiJx0nfe6iwy2hLIO_1ia3OPlk21fsMg==
via: 1.1 41e349e25dc4bc856d0e5d2c162428a0.cloudfront.net (CloudFront), 1.1 e4d3d5aafc7d7d582423c073065ab562.cloudfront.net (CloudFront), 1.1 google
date: Wed, 22 Feb 2023 21:42:20 GMT
age: 71479
etag: "cf3ce1808c48e1a86910e16731a044f6cb26275d"
content-type: image/jpeg
cache-control: max-age=3600,public,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/fxmonitor-breaches/changeset?_expected=1675734066429&_since=%221662044085942%22

35.241.9.150

200 OK

5.6 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/fxmonitor-breaches/changeset?_expected=1675734066429&_since=%221662044085942%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (5628), with no line terminators
Size
5.6 kB (5628 bytes)
Hash
c2aaf121f79032d2dbef3b6bbebc5bda
9aea63df55fe7bbf0337658087da5679e68fff39
570d0386b573c64a975e5ce952c25a81ad35b59a114e7d86f9a85d2a0d4c5c62

HTTP Headers

GET /v1/buckets/main/collections/fxmonitor-breaches/changeset?_expected=1675734066429&_since=%221662044085942%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Alert, Retry-After, Content-Type, Content-Length, Backoff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 5628
via: 1.1 google
date: Thu, 23 Feb 2023 17:08:57 GMT
age: 1482
last-modified: Wed, 22 Feb 2023 16:36:43 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

34.120.237.76

200 OK

9.7 kB

URL HTTP/2
img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F1585e234-d4e0-4e4e-8699-70831e5a915e.jpeg
IP
34.120.237.76:0
ASN
#15169 GOOGLE

File type
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 296x148, components 3\012- data
Size
9.7 kB (9721 bytes)
Hash
e4016fa20fa2642f89d375fcc2855d4b
f1733be34a214e9565208f814dd3990f89cafbcb
74686e6a674433c436bce8c70cecc1a2cde51e82241e8251188ebd587fd4ee18

HTTP Headers

GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F1585e234-d4e0-4e4e-8699-70831e5a915e.jpeg HTTP/1.1
Host: img-getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: null
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
content-length: 9721
x-amzn-requestid: 5ddea3ff-b6e2-4528-8e71-eade54612b4f
x-xss-protection: 1; mode=block
access-control-allow-origin: *
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-frame-options: DENY
content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'
x-amz-apigw-id: AwqR3HJpoAMF5LQ=
x-content-type-options: nosniff
x-amzn-trace-id: Root=1-63f68a72-413219251feae2e32b9e6857;Sampled=0
x-amzn-remapped-date: Wed, 22 Feb 2023 21:34:42 GMT
x-amz-cf-pop: HIO50-C1, SEA19-C2
x-cache: Hit from cloudfront
x-amz-cf-id: iHR9N5OPgY8mjpsZowY-Ipeq62c8O_QQorpNmIOa68_vmWyY0eqt-A==
via: 1.1 ddd913fbbe7367d44af4ac06097e7a2a.cloudfront.net (CloudFront), 1.1 61bc723adb3b1884ed759711e84e13a8.cloudfront.net (CloudFront), 1.1 google
date: Wed, 22 Feb 2023 21:44:15 GMT
age: 71364
etag: "f1733be34a214e9565208f814dd3990f89cafbcb"
content-type: image/jpeg
cache-control: max-age=3600,public,public
alt-svc: clear
X-Firefox-Spdy: h2

34.120.237.76

200 OK

9.9 kB

URL HTTP/2
img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F7e9c643f-2d83-48c4-9450-1b873c5cc877.jpeg
IP
34.120.237.76:0
ASN
#15169 GOOGLE

File type
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 296x148, components 3\012- data
Size
9.9 kB (9857 bytes)
Hash
25edfc4908176ce024f4c8b9622cbe2a
938086638fe62b81018b6ce0d459728bb266b6ec
1151a4d1e341883aa26ec969c65e95685d751074ad2c4f54ed6e21b2fce25bac

HTTP Headers

GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F7e9c643f-2d83-48c4-9450-1b873c5cc877.jpeg HTTP/1.1
Host: img-getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: null
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
content-length: 9857
x-amzn-requestid: bb5b0484-d946-4954-a8ef-6419cc93bfd4
x-xss-protection: 1; mode=block
access-control-allow-origin: *
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-frame-options: DENY
content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'
x-amz-apigw-id: AwqSoFcDoAMF6VQ=
x-content-type-options: nosniff
x-amzn-trace-id: Root=1-63f68a76-5f8c7a1f0fb6a01e0213ba46;Sampled=0
x-amzn-remapped-date: Wed, 22 Feb 2023 21:34:46 GMT
x-amz-cf-pop: HIO50-C1, SEA19-C2
x-cache: Hit from cloudfront
x-amz-cf-id: RsXvkVXlfNrcr1Hr82G0H11Ai_oyHo_HDME-cYpO0NeDDqy000B-rA==
via: 1.1 0005a84c2971ff4f5bbb79e7ebc622a8.cloudfront.net (CloudFront), 1.1 6172bb1a5d00a3b06ae3700570ebe116.cloudfront.net (CloudFront), 1.1 google
date: Wed, 22 Feb 2023 21:38:54 GMT
age: 71685
etag: "938086638fe62b81018b6ce0d459728bb266b6ec"
content-type: image/jpeg
cache-control: max-age=3600,public,public
alt-svc: clear
X-Firefox-Spdy: h2

34.120.237.76

200 OK

6.6 kB

URL HTTP/2
img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F3c4dab71-c39e-421a-8dd6-60a97e3b2223.jpeg
IP
34.120.237.76:0
ASN
#15169 GOOGLE

File type
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 296x148, components 3\012- data
Size
6.6 kB (6643 bytes)
Hash
9a6c075bf39141bbc7826d6969cf2ac8
8a3f71fea281d57261814a858c94fd11f083b9fe
dbd5fd07729dd569dd87128ba167ccccb2fa1c8e73f3eb6d64ac1c37f8294db7

HTTP Headers

GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F3c4dab71-c39e-421a-8dd6-60a97e3b2223.jpeg HTTP/1.1
Host: img-getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: null
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
content-length: 6643
x-amzn-requestid: 326ed8fb-b228-4546-adf3-a188ce799089
x-xss-protection: 1; mode=block
access-control-allow-origin: *
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-frame-options: DENY
content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'
x-amz-apigw-id: ArXwJG4OoAMFVZQ=
x-content-type-options: nosniff
x-amzn-trace-id: Root=1-63f46ccd-74c2a8741928ad99733db89f;Sampled=0
x-amzn-remapped-date: Tue, 21 Feb 2023 07:03:41 GMT
x-amz-cf-pop: SEA19-C2
x-cache: Hit from cloudfront
x-amz-cf-id: Gu_G39ZXNYgyloJITQfAYavWjzrcB_sPNNOROrgBJW3BZtCVLpbxSQ==
via: 1.1 5a1753718d8b33365e5f693dd338c510.cloudfront.net (CloudFront), 1.1 61bc723adb3b1884ed759711e84e13a8.cloudfront.net (CloudFront), 1.1 google
date: Thu, 23 Feb 2023 05:02:10 GMT
age: 45089
etag: "8a3f71fea281d57261814a858c94fd11f083b9fe"
content-type: image/jpeg
cache-control: max-age=3600,public,public
alt-svc: clear
X-Firefox-Spdy: h2

34.120.237.76

200 OK

5.8 kB

URL HTTP/2
img-getpocket.cdn.mozilla.net/296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F1024518c-aee4-4742-a886-86b92f76f0c3.jpeg
IP
34.120.237.76:0
ASN
#15169 GOOGLE

File type
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 296x148, components 3\012- data
Size
5.8 kB (5823 bytes)
Hash
fbf1945668d4a8c35e68f8d60fd80f56
0553020a82f7a6245a2979d58e1765883a777893
4220c9dea6f77c1775be6ca4d1d133b3d8f1d9caec3cc6e85747b87c7d897a92

HTTP Headers

GET /296x148/filters:format(jpeg):quality(60):no_upscale():strip_exif()/https%3A%2F%2Fs3.amazonaws.com%2Fpocket-curatedcorpusapi-prod-images%2F1024518c-aee4-4742-a886-86b92f76f0c3.jpeg HTTP/1.1
Host: img-getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Origin: null
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
content-length: 5823
x-amzn-requestid: 4b226ac8-c443-4382-ab8e-b618c95a713d
x-xss-protection: 1; mode=block
access-control-allow-origin: *
strict-transport-security: max-age=63072000; includeSubdomains; preload
x-frame-options: DENY
content-security-policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'
x-amz-apigw-id: Aq1HSFWvIAMFUAw=
x-content-type-options: nosniff
x-amzn-trace-id: Root=1-63f43561-7ac4a51e389a6e6b2a9199a5;Sampled=0
x-amzn-remapped-date: Tue, 21 Feb 2023 03:07:13 GMT
x-amz-cf-pop: SEA19-C2
x-cache: Hit from cloudfront
x-amz-cf-id: p6v-ksQmtagKBT2hXXL7AVGvhSCwy8wUoi4dWRJPDaSsT7BvBxh4fw==
via: 1.1 5ab5dc09da67e3ea794ec8a82992cc88.cloudfront.net (CloudFront), 1.1 d8792dbd3191bbe722eba5b536b979c8.cloudfront.net (CloudFront), 1.1 google
date: Thu, 23 Feb 2023 03:02:20 GMT
age: 52279
etag: "0553020a82f7a6245a2979d58e1765883a777893"
content-type: image/jpeg
cache-control: max-age=3600,public,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/normandy-recipes-capabilities/changeset?_expected=1677012027435&_since=%221666483264567%22

35.241.9.150

200 OK

60 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/normandy-recipes-capabilities/changeset?_expected=1677012027435&_since=%221666483264567%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (59855), with no line terminators
Size
60 kB (59855 bytes)
Hash
bcb198ca74c45fbd1b5861b2a0f9d223
5412c0ce213fac042543ac71439580df1344f9d6
cc36baa1c30fb3d6aa628df0a08dad136d3ddbf90fb7efcd7d814b80fed967d9

HTTP Headers

GET /v1/buckets/main/collections/normandy-recipes-capabilities/changeset?_expected=1677012027435&_since=%221666483264567%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Retry-After, Content-Length, Alert, Backoff, Content-Type
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 59855
via: 1.1 google
date: Thu, 23 Feb 2023 16:18:54 GMT
age: 4485
last-modified: Tue, 21 Feb 2023 20:40:27 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/cfr/changeset?_expected=1666894461944&_since=%221659547595259%22

35.241.9.150

200 OK

1.5 kB

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/cfr/changeset?_expected=1666894461944&_since=%221659547595259%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (1505), with no line terminators
Size
1.5 kB (1505 bytes)
Hash
8c387573e466da58de34efecea89a4a1
3bee30f48f21c082dee7ce7b52ebd7b4e30edca8
019686dbf2b110ba2e746777c3539cf842f44eeb333ec45af0f41d785a2c9272

HTTP Headers

GET /v1/buckets/main/collections/cfr/changeset?_expected=1666894461944&_since=%221659547595259%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Content-Length, Retry-After, Content-Type, Backoff, Alert
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 1505
via: 1.1 google
date: Thu, 23 Feb 2023 16:41:07 GMT
age: 3152
last-modified: Mon, 20 Feb 2023 16:36:46 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

firefox.settings.services.mozilla.com/v1/buckets/main/collections/message-groups/changeset?_expected=1670425599656&_since=%221665698079854%22

35.241.9.150

200 OK

935 B

URL HTTP/2
firefox.settings.services.mozilla.com/v1/buckets/main/collections/message-groups/changeset?_expected=1670425599656&_since=%221665698079854%22
IP
35.241.9.150:0
ASN
#15169 GOOGLE

File type
JSON data\012- , ASCII text, with very long lines (935), with no line terminators
Size
935 B (935 bytes)
Hash
6c796237d371d417e638a02a0cd932e7
6d289d3a27964ab953e0dd0d0d771ce754bc8851
b8d634496126a0452c5b9443293308160c29efffa1462027e0161876494982e8

HTTP Headers

GET /v1/buckets/main/collections/message-groups/changeset?_expected=1670425599656&_since=%221665698079854%22 HTTP/1.1
Host: firefox.settings.services.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
TE: trailers

HTTP/2 200 OK
access-control-allow-origin: *
access-control-expose-headers: Alert, Retry-After, Content-Type, Content-Length, Backoff
content-security-policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none';
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
content-length: 935
via: 1.1 google
date: Thu, 23 Feb 2023 16:44:07 GMT
age: 2972
last-modified: Mon, 20 Feb 2023 16:36:44 GMT
content-type: application/json
cache-control: max-age=3600,public
alt-svc: clear
X-Firefox-Spdy: h2

citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309

20.213.243.40

200 OK

33 kB

URL HTTP/1.1
citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, Unicode text, UTF-8 text, with very long lines (975)
Size
33 kB (33268 bytes)
Hash
1bf8de499eb321a240f4ffb595da470d
843da745bca0f3f4bbfca54fc16ce3a3eac93814
39a18ffbfcfcfd7ca21ccf2b731636edea0130812aed788ede2ce5595457e3c3

Detections

Analyzer	Verdict	Alert
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309 HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:40 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

citizens-login.ddns.net/Guard/css/Login/normalize.css

20.213.243.40

200 OK

9.9 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/Login/normalize.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
ASCII text
Size
9.9 kB (9922 bytes)
Hash
f4c899699f3f6235f3bfa2db0cff86da
cbb6ec7fa4b58fb6c5a700720b239ce27e339646
91afb84bded857517d6a7e43932e3d4a43eaf42d1e4d0b77a8bc9c07973e21d2

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/Login/normalize.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:40 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:39:40 GMT
Accept-Ranges: bytes
Content-Length: 9922
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/css

citizens-login.ddns.net/Guard/css/Login/ad-containers.css

20.213.243.40

200 OK

8.0 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/Login/ad-containers.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
ASCII text, with CRLF line terminators
Size
8.0 kB (7985 bytes)
Hash
65d28549495a385024b93b037e33835f
987adde42fd154ef5da27d9ed3845ccb168ba2f4
c8a977fd23fc151d7944387ad07220eb673de84b4343d6304efe5a8e1c061b02

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/Login/ad-containers.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:40 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:39:40 GMT
Accept-Ranges: bytes
Content-Length: 7985
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/css

citizens-login.ddns.net/Guard/css/Login/flows.css

20.213.243.40

200 OK

8.6 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/Login/flows.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Unicode text, UTF-8 text
Size
8.6 kB (8622 bytes)
Hash
078f967787a4306c0ad31bc92c8796f0
9f85a2b460a73c644c82174641e21e2caa315f9c
760a14e8872a498b478f3c942746d7657199d8d7f23ce151368c6e58d9fbc85f

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/Login/flows.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:40 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 02:20:10 GMT
Accept-Ranges: bytes
Content-Length: 8622
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/css

citizens-login.ddns.net/Guard/css/Login/jquery-ui-1.css

20.213.243.40

200 OK

19 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/Login/jquery-ui-1.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
ASCII text, with very long lines (17412)
Size
19 kB (19030 bytes)
Hash
554d7d54b6474370d39d74ba81f8a60b
d857a1229ebca1508756c1a46481398cf01803b5
7aaf6df215bb7018439342fe6bcd1058de3e7dfa2c7b4e1176c842b1a8e529ac

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/Login/jquery-ui-1.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:40 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:39:40 GMT
Accept-Ranges: bytes
Content-Length: 19030
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/css

citizens-login.ddns.net/Guard/css/Login/citizensns.css

20.213.243.40

200 OK

6.0 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/Login/citizensns.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Unicode text, UTF-8 text
Size
6.0 kB (5981 bytes)
Hash
4e258533601217d93e556e99b5e5899e
842e5a1e1eedb691a1d8ad1618d1bbde36ea745a
80a21256af0f906e9289c08c8b0d7ad99cfa05e1817729775eea640ce9219457

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/Login/citizensns.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:40 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:39:40 GMT
Accept-Ranges: bytes
Content-Length: 5981
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/css

citizens-login.ddns.net/Guard/css/Login/sec-3-3.css

20.213.243.40

200 OK

1.6 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/Login/sec-3-3.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
ASCII text, with very long lines (609)
Size
1.6 kB (1601 bytes)
Hash
2fe4aec8dfb33f933ed5c6515e6a3f8b
995dbff4cbe05148f25301c896bb6a7f04d2ebc1
e98c61d19f0e628139216fc2f3103faedad7910a4653db598c120b8fa7537ac8

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/Login/sec-3-3.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:39:40 GMT
Accept-Ranges: bytes
Content-Length: 1601
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/css

citizens-login.ddns.net/Guard/css/Login/main.css

20.213.243.40

200 OK

60 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/css/Login/main.css
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
ASCII text
Size
60 kB (60331 bytes)
Hash
451a0244aa5e30c6be6adc7da5cae907
2ceea2a7c2a36de57de2f248f620a6b76c0a4080
ac687458578c7a3bea39134b211b3db1d9d064dcf01646bcb66312987fd15fe1

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/css/Login/main.css HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:40 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 02:21:44 GMT
Accept-Ranges: bytes
Content-Length: 60331
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/css

citizens-login.ddns.net/Guard/img/elh.gif

20.213.243.40

200 OK

1.4 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/elh.gif
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
GIF image data, version 89a, 31 x 24\012- data
Size
1.4 kB (1433 bytes)
Hash
f79e78d673f51194d9b9021cbc72b5b3
79a917fad527cef8d96af24d142653f2f49109b3
56c43c6f5c8209acd47f355810bca2f9b0fc86c4bbdf1361d60fb2d2e2e66f8c

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/elh.gif HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 1433
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif

citizens-login.ddns.net/Guard/img/footer-follow-youtube.png

20.213.243.40

200 OK

3.3 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/footer-follow-youtube.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 25 x 21, 8-bit/color RGBA, non-interlaced\012- data
Size
3.3 kB (3278 bytes)
Hash
09c8c4f0f417a049b8ab6acdd2581717
2c9dbf84a80167a9c7b41e5955969dd4d1d75c6f
9af5181113e5d0eacfc3d9c0b3ad627dc3ad50708755fbe45ab18e0cad4f3b36

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/footer-follow-youtube.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 3278
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/img/footer-follow-twitter.png

20.213.243.40

200 OK

3.3 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/footer-follow-twitter.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 25 x 21, 8-bit/color RGBA, non-interlaced\012- data
Size
3.3 kB (3295 bytes)
Hash
ab8d8dc7ea3d7b572b2dc47f2aebe5ae
900c9f837d9a015e6609b14eed6d99c384ec5441
9b4ffac9ea755d2aaff724fa471d90fd63ae5648e18f60a67db0a5c3bffd84e5

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/footer-follow-twitter.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 3295
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/img/footer-follow-facebook.png

20.213.243.40

200 OK

395 B

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/footer-follow-facebook.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 28 x 21, 8-bit/color RGB, non-interlaced\012- data
Size
395 B (395 bytes)
Hash
25dbaaa7fa1bf41ca6614f1d2cf699f5
56a9e2459a275ef7178ff8c90c2b277265f64fb0
eb175662762ef5f2c9011cc1c4f9d09361c50a366fad8a544bda1c439b99d3a0

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/footer-follow-facebook.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 395
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/img/equal-housing.gif

20.213.243.40

200 OK

1.1 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/equal-housing.gif
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
GIF image data, version 89a, 14 x 9\012- data
Size
1.1 kB (1134 bytes)
Hash
39fc59327cb01ffbd5ab0ece1b08fba4
6cc1099707564164c3de6f94714808cdb1c415a7
319d82f567037eafefea25abbc64ea902db9255c5e7231fe9ddd462e4f5b9149

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/equal-housing.gif HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 1134
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: image/gif

citizens-login.ddns.net/Guard/img/fdicFooter.gif

20.213.243.40

200 OK

2.2 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/fdicFooter.gif
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
GIF image data, version 89a, 56 x 24\012- data
Size
2.2 kB (2245 bytes)
Hash
a0742f4f717eac3a1e61f53cbbec74f2
f85639ee91bccd2bddaf043b80c892ae6b700d49
dddb031e5144ce20d909dbf4829d637738efa477bf5ab4eab67b1990ef0efb2d

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/fdicFooter.gif HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 2245
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif

citizens-login.ddns.net/Guard/img/icon-secure.png

20.213.243.40

200 OK

292 B

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/icon-secure.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 16 x 20, 8-bit/color RGBA, non-interlaced\012- data
Size
292 B (292 bytes)
Hash
18ffa7c3d8f40b5da7df780d91930e20
524ca8ffaadbd033fd0504fe580d47315690afa1
c8d87d770112e188f7b1482e9a416ffc441a9a6e08e2fc38a886fa2986efdb46

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/icon-secure.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/flows.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:46:44 GMT
Accept-Ranges: bytes
Content-Length: 292
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/img/flows-tooltip.png

20.213.243.40

200 OK

364 B

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/flows-tooltip.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced\012- data
Size
364 B (364 bytes)
Hash
35a7359b239ddca8639017dfc4b71b4a
dfdd659f24502fbe7dd79c9564e1e528233fdcad
dfc042f7ff75f3c2f916bcfbff48c82834bab07b698a2c564906ca073f8286b2

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/flows-tooltip.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/flows.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:55:16 GMT
Accept-Ranges: bytes
Content-Length: 364
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/img/arrow-button-white.png

20.213.243.40

200 OK

1.0 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/arrow-button-white.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 18 x 12, 8-bit/color RGBA, non-interlaced\012- data
Size
1.0 kB (1017 bytes)
Hash
e7b1dd2b4db648b74fc5b873e7196a87
2f053c0827091b3929ea889dd2dc5c923dcb450a
ff327ec2a6dbd3fc76ceecf59e472d5d2f43c94dce851ced740abe5f75bb832e

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/arrow-button-white.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/flows.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:41 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:54:12 GMT
Accept-Ranges: bytes
Content-Length: 1017
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/Fonts/citizen_roman.woff

20.213.243.40

200 OK

32 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/Fonts/citizen_roman.woff
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Web Open Font Format, TrueType, length 31968, version 1.0\012- data
Size
32 kB (31968 bytes)
Hash
d496c6122c776cae7c2a783bfcd7a3a1
fbdbec90d23bd77f471be50a3c6711e535ac72bc
c8b1f6c22756521c86a5b0053b8565b49436f7fa19d1bb7cdf00a7808df28d42

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/Fonts/citizen_roman.woff HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/main.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:49:16 GMT
Accept-Ranges: bytes
Content-Length: 31968
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: font/woff

citizens-login.ddns.net/Guard/Fonts/citiolb_icons.woff

20.213.243.40

200 OK

18 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/Fonts/citiolb_icons.woff
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Web Open Font Format, TrueType, length 18524, version 0.0\012- data
Size
18 kB (18524 bytes)
Hash
022cb73ac43269074f73e97b9cca4f2d
85f96bbe6d675a4892fbb483cde78c6eb9419d78
b23d0629822256b320de68cece2a79525216c20a0b040d4ee0ee6dd216b98115

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/Fonts/citiolb_icons.woff HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/main.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:45:30 GMT
Accept-Ranges: bytes
Content-Length: 18524
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: font/woff

citizens-login.ddns.net/Guard/img/CTZ_Green-01.png

20.213.243.40

200 OK

4.2 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/CTZ_Green-01.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 406 x 50, 8-bit/color RGBA, non-interlaced\012- data
Size
4.2 kB (4206 bytes)
Hash
edeb1da3a70dc89f6afdf7e104d06f6c
5afd9b50c42c7820edfceebcc47b4443c9dbb0f9
c401ce328e0383e71cd811709055aa8671cee50e355c6588bd567c1320b4e4ab

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/CTZ_Green-01.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 4206
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/img/arrow-down-blue.png

20.213.243.40

200 OK

1.1 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/arrow-down-blue.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 28 x 11, 8-bit/color RGBA, non-interlaced\012- data
Size
1.1 kB (1054 bytes)
Hash
dc25c0429ceba4038c36551d05760dd7
a79832f9ae49997cd90701d48a02bd06bf29a7d0
56a8532b2a60ca2ae39c213f7e1e65e47834af927e6365444457f22ed12ed79c

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/arrow-down-blue.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/main.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 02:19:58 GMT
Accept-Ranges: bytes
Content-Length: 1054
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: image/png

citizens-login.ddns.net/Guard/Fonts/citizen_book.woff

20.213.243.40

200 OK

32 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/Fonts/citizen_book.woff
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Web Open Font Format, TrueType, length 31864, version 1.0\012- data
Size
32 kB (31864 bytes)
Hash
0dd22599312493e4bb7b8662f71dddcc
29f5fd587566f80d886dc0109f53ecf47eb5bbf5
2a0a7ee3ea564db1e157dd2202c20b8092228fea9091f5cd1e83551e170ec277

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/Fonts/citizen_book.woff HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/main.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:49:16 GMT
Accept-Ranges: bytes
Content-Length: 31864
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: font/woff

citizens-login.ddns.net/efs/efs/grafx/arrow-right-orange.png

20.213.243.40

404 Not Found

315 B

URL HTTP/1.1
citizens-login.ddns.net/efs/efs/grafx/arrow-right-orange.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, ASCII text
Size
315 B (315 bytes)
Hash
a34ac19f4afae63adc5d2f7bc970c07f
a82190fc530c265aa40a045c21770d967f4767b8
d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /efs/efs/grafx/arrow-right-orange.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/main.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 404 Not Found
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Content-Length: 315
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

citizens-login.ddns.net/Guard/Fonts/citizen_extrabold.woff

20.213.243.40

200 OK

28 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/Fonts/citizen_extrabold.woff
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Web Open Font Format, TrueType, length 27852, version 1.0\012- data
Size
28 kB (27852 bytes)
Hash
76f4964f6d001aa6967fb570438d80cc
5259516d0615338a701e5a19a37d6bc45c6bcedc
0e9485cdb6a684713287cb41c6e6c3e26d12280f17349f98402456ff86ec9759

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/Fonts/citizen_extrabold.woff HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/main.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:49:16 GMT
Accept-Ranges: bytes
Content-Length: 27852
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: font/woff

citizens-login.ddns.net/Guard/Fonts/citizen_bold.woff

20.213.243.40

200 OK

29 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/Fonts/citizen_bold.woff
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
Web Open Font Format, TrueType, length 29304, version 1.0\012- data
Size
29 kB (29304 bytes)
Hash
c0f795cba89d0c65078577b8b1b7c62a
6fd231b6616aad9abdfc37562541da3db904e6ac
5bb2d438470a02799577010a14310fa8ac3ed7ea77ca15435aaaa154e407b3e6

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/Fonts/citizen_bold.woff HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Guard/css/Login/main.css
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:49:16 GMT
Accept-Ranges: bytes
Content-Length: 29304
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: font/woff

citizens-login.ddns.net/Guard/img/footer-follow-linkedin.png

20.213.243.40

200 OK

3.2 kB

URL HTTP/1.1
citizens-login.ddns.net/Guard/img/footer-follow-linkedin.png
IP
20.213.243.40:0
ASN
#8075 MICROSOFT-CORP-MSN-AS-BLOCK

File type
PNG image data, 25 x 21, 8-bit/color RGBA, non-interlaced\012- data
Size
3.2 kB (3239 bytes)
Hash
b187d1cd61b1912b22ebfb4efce30bad
b502a6ed3e50ffe6da8d8d5114fd404650d38ea7
fe3ddc37707c93f338a1f6359dfa03019e096df14454808aaccbb7538aa3c67b

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Citizens Bank
urlquery	phishing	Phishing - Citizens Bank
urlquery	suspicious	Suspicious - DynDNS domain

NIDS	Severity	Alert
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain

HTTP Headers

GET /Guard/img/footer-follow-linkedin.png HTTP/1.1
Host: citizens-login.ddns.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://citizens-login.ddns.net/Login/?token=8a93394a390bd9c5f0849cf7b1ffb9e9e166ee221f8d5469e4c8657851b7fe3004c7bc96f5380008cb8d0a460f20a806db3fafca9b60b483c82cd3dcc2d71309
Cookie: PHPSESSID=4c95ae8bb147ced71e495c4111d528ab

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2023 17:33:42 GMT
Server: Apache
Last-Modified: Sun, 02 May 2021 01:52:32 GMT
Accept-Ranges: bytes
Content-Length: 3239
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: image/png

Report Overview

Submitted URL

IP

ASN

Submitted

Access

Website Title

Final URL

Tags

urlquery detections

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

OpenPhish

PhishTank

Fortinet's Web Filter

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (2)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

HTTP Transactions (74)

URL HTTP/1.1

IP

ASN

File type

Size

Hash

HTTP Headers

URL HTTP/1.1

IP

ASN

File type

Size

Hash

HTTP Headers

URL HTTP/1.1

IP

ASN

File type

Size

Hash

HTTP Headers

URL HTTP/2

IP

ASN

File type

Size

Hash

HTTP Headers

URL HTTP/1.1

IP

ASN

File type

Size

Hash

HTTP Headers

URL HTTP/2

IP

ASN

File type