{"report_id":"e4d9f16a-2569-4eff-b53d-1d482dc24472","version":6,"status":"done","tags":[],"date":"2026-03-24T20:46:55Z","url":{"schema":"https","addr":"subscriberfraudinvestigation.pages.dev","fqdn":"subscriberfraudinvestigation.pages.dev","domain":"subscriberfraudinvestigation.pages.dev","tld":"pages.dev"},"ip":{"addr":"172.66.47.46","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"subscriberfraudinvestigation.pages.dev/","fqdn":"subscriberfraudinvestigation.pages.dev","domain":"subscriberfraudinvestigation.pages.dev","tld":"pages.dev"},"title":"SFI - Subscriber Fraud Investigation","dom":{"size":30261,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (1484)","md5":"7de1c3a1ef401b6502ceb1dcc7277213","sha1":"d59fe31b0a40f7c7a7a176b7627c9cf90c1bcf2e","sha256":"22ff04bef2ea4d9b0910cb23008f5508a928e55f9a0ad3ce8d0b70da6d2a60c8","sha512":"3dfcea4f7f2e31dc99755e2703677cf18d06866aea3f867fe85ce4c59f8ed42e4bdf533e8ae3cd25ad7417380b887f0786b00a6d7cb6bb85f7eb61be60723f11","ssdeep":"384:W2vVTSOF6rFyFtz8Cef3qh6Spv0S7ad0eC5v0Y2K0RlQ74Y:hFSOF6rFyFtdefvSpvinC5vlAlQ0Y","tlshash":"d3d2c72676f31036005761652beb87493768f047a90acd293bdc87888fc6a6ddd63b4d","dom_hash":"domhashbf96f7d02ddf825b1880c5e1f50b73ad","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"https","addr":"subscriberfraudinvestigation.pages.dev","fqdn":"subscriberfraudinvestigation.pages.dev","domain":"subscriberfraudinvestigation.pages.dev","tld":"pages.dev"},"ip":{"addr":"172.66.47.46","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"tags":null,"meta":null,"user":{"user_id":"akbkyowd9geqr98"}},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-04-28T20:46:55Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":1,"urlquery":0,"analyzer":0}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-03-24T20:46:33Z","timestamp":1774385193,"ip_dst":{"addr":"172.66.47.46","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":39836,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO Observed Cloudflare Page Developer Domain (pages .dev in TLS SNI)","source":"{\"timestamp\":\"2026-03-24T20:46:33.925673+0000\",\"flow_id\":932325599340442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.15\",\"src_port\":39836,\"dest_ip\":\"172.66.47.46\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2057746,\"rev\":1,\"signature\":\"ET INFO Observed Cloudflare Page Developer Domain (pages .dev in TLS SNI)\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2024_11_20\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"tag\":[\"Description_Generated_By_Proofpoint_Nexus\"],\"updated_at\":[\"2024_11_20\"]}},\"tls\":{\"sni\":\"subscriberfraudinvestigation.pages.dev\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":789,\"bytes_toclient\":3523,\"start\":\"2026-03-24T20:46:33.911258+0000\"}}"}],"analyzer":null,"urlquery":null},"summary":[{"fqdn":"subscriberfraudinvestigation.pages.dev","ip":{"addr":"172.66.47.46","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2020-09-02","domain_rank":0,"first_seen":"2026-03-24T20:46:55.95492Z","last_seen":"2026-03-24T20:46:55.95492Z","alert_count":0,"request_count":2,"received_data":62805,"sent_data":990,"comment":"","tags":null,"fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]},{"fqdn":"i.ibb.co","ip":{"addr":"45.43.142.5","port":443,"asn":215751,"as":"Mikhail Fedorov","country":"Israel","country_code":"IL"},"domain_registered":"2010-07-20","domain_rank":21643,"first_seen":"2018-11-25T10:13:48Z","last_seen":"2026-03-18T20:34:20.366848Z","alert_count":0,"request_count":1,"received_data":326228,"sent_data":514,"comment":"","tags":null,"fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":null},"javascript":{"script":[{"url":{"schema":"https","addr":"subscriberfraudinvestigation.pages.dev/","fqdn":"subscriberfraudinvestigation.pages.dev","domain":"subscriberfraudinvestigation.pages.dev","tld":"pages.dev"},"ip":{"addr":"172.66.47.46","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":true,"md5":"5445876b22fca60e5e084888de827698","sha1":"03ab956433fa31e0abd65f2024defdd7eb34b994","sha256":"9d39b75fd90dc983d8fe3ea1982dbf5c42d1cb54452e14bc997cc13b2b730a69","sha512":"a26847aa0e6469e00d69e9537389a82ea982c5a7bbf8437dd9d27fd918154a469c8d7e176c89e6fb3ec8ffac0fcf132657d5f9d1405faff416d1f7955f47e285","ssdeep":"192:e4da6Spv0qMchq07r05fb3W/5odojJ8weC5v0xITQa0zaE:eh6Spv0S7ad0eC5v0YO","tlshash":"3622621ba6b3107a01b7627b57cb5304762460473585cc1d3fac83490f8ae2a9eb6bce","size":10237,"data":"","first_seen":"2026-03-24T20:46:58.359049Z","last_seen":"2026-03-24T20:46:58.359049Z","times_seen":1,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"subscriberfraudinvestigation.pages.dev/","fqdn":"subscriberfraudinvestigation.pages.dev","domain":"subscriberfraudinvestigation.pages.dev","tld":"pages.dev"},"ip":{"addr":"172.66.47.46","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-03-24T20:46:33.885Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"subscriberfraudinvestigation.pages.dev","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Sun, 15 Mar 2026 01:32:43 GMT","end":"Sat, 13 Jun 2026 02:30:19 GMT"},"fingerprint":{"sha1":"60:8E:38:33:B1:00:46:66:4A:CD:78:42:A0:BA:5F:6B:24:E5:E4:72","sha256":"BF:FA:D1:5A:B7:F4:35:70:0B:49:A8:30:10:BD:BB:2F:43:A7:1B:2A:95:66:14:F4:E4:A8:F0:38:32:79:E8:C8"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: subscriberfraudinvestigation.pages.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Tue, 24 Mar 2026 20:46:34 GMT\r\ncontent-type: text/html; charset=utf-8\r\naccess-control-allow-origin: *\r\ncache-control: public, max-age=0, must-revalidate\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nreferrer-policy: strict-origin-when-cross-origin\r\nx-content-type-options: nosniff\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=eUPEQmSniyVXvplfsaKiMl3Sd3UmORvkxlgG8hzzzjlguy5V6By3PrHPETuy%2BuQoAcK%2BRCgkjGSD%2BVi2tErfCxrwrI7PMiKvO1rvX%2FkQt9sKkqBjhqrvRoyuaBedE3VVSTtyZHt1\"}]}\r\netag: W/\"6b59f2e9e8a078019d9370a8383bfd68\"\r\ncontent-encoding: br\r\nserver: cloudflare\r\ncf-ray: 9e1886a64fa05ebd-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":30635,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text, with very long lines (1484), with CRLF line terminators","md5":"38cdf22684a32dfc05e338c25a491dc3","sha1":"afe644764adff6ba46d9211fbe4680bf08faed73","sha256":"1b734c7876149b45563123bd6fb798ba0eb99619145d1f93cc1050de5fc978d0","sha512":"1c454e8c23e56a7ab9ca44dd7fbfee56c75507d6ab1c5979e160a941ee8b369b103f32dafcdb21fb24d32be8da440a13dcc0f8072e29bddb4fe42dfb1d32cc70","ssdeep":"384:2S2vVTSJQ1z6qfjvjYU78Xx/DvTCYH96jN41:2dFSglfjvnm/Dv596jC1","tlshash":"50d2b626a69110274173a3b56fe34709faa4a047964346193bed83864ff3838cd63f8d","first_seen":"2026-03-24T20:46:58.353624Z","last_seen":"2026-03-24T20:46:58.353624Z","times_seen":1,"resource_available":true,"data":null}},"time_used":428,"timings":{"blocked":82,"dns":31,"connect":1,"send":0,"wait":259,"receive":0,"ssl":52},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"i.ibb.co/Qgz4gWL/bb5a9bb4-7e68-4c29-897f-e9c7d1501c57-cleanup-removebg-preview.png","fqdn":"i.ibb.co","domain":"ibb.co","tld":"co"},"ip":{"addr":"45.43.142.5","port":443,"asn":215751,"as":"Mikhail Fedorov","country":"Israel","country_code":"IL"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://subscriberfraudinvestigation.pages.dev/","date":"2026-03-24T20:46:34.373Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"ibb.co","organization":""},"issuer":{"commonName":"E7","organization":"Let's Encrypt"},"validity":{"start":"Sat, 14 Feb 2026 07:06:34 GMT","end":"Fri, 15 May 2026 07:06:33 GMT"},"fingerprint":{"sha1":"48:08:17:3C:24:BE:AF:E3:A7:15:95:2B:10:C7:81:6D:71:75:A1:79","sha256":"5C:C2:85:75:C7:FB:D5:BF:48:B2:53:D1:3F:41:4C:33:F4:A5:D7:7F:D0:00:DA:48:50:93:31:14:32:70:1F:0E"}}},"request":{"raw":"GET /Qgz4gWL/bb5a9bb4-7e68-4c29-897f-e9c7d1501c57-cleanup-removebg-preview.png HTTP/1.1\r\nHost: i.ibb.co\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://subscriberfraudinvestigation.pages.dev/\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\nserver: nginx\r\ndate: Tue, 24 Mar 2026 20:46:34 GMT\r\ncontent-type: image/png\r\ncontent-length: 325864\r\nlast-modified: Wed, 26 Mar 2025 00:12:30 GMT\r\nexpires: Thu, 31 Dec 2037 23:55:55 GMT\r\ncache-control: max-age=315360000, public\r\naccess-control-allow-origin: *\r\naccess-control-allow-methods: GET, OPTIONS\r\naccept-ranges: bytes\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":325864,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 567 x 440, 8-bit/color RGBA, non-interlaced","md5":"3d4af6d58a7b433914ba49609390a44c","sha1":"14b89fb53b49b3311f5c4d3c1c9d2fd44eb8df10","sha256":"86e2042793d0c903166acddbc7e15981c12fc1d4e2a5e7f16337013a8de4cd3d","sha512":"c2a4940469d8374c67bc72dc37b6367029d16c3817058a967c52644939cb27ef2ad4b545c9976318c6650d6c6b8abb43944324119117584bca4ba852e5d2aa3d","ssdeep":"6144:LDB977rWVtzhdegKeKzWgsP/9frqPS/c99ij7zuz9dQCfpmGKfUJx:LDEtXegKeKzgluuc3ij7zQeKExfIx","tlshash":"206423f5f3e8868782bac32db641cb1b6c5d505bb930b6a9254e847dc3462ec4e45f2c","first_seen":"2026-03-24T20:46:58.356423Z","last_seen":"2026-03-24T20:46:58.356423Z","times_seen":1,"resource_available":false,"data":null}},"time_used":432,"timings":{"blocked":57,"dns":1,"connect":23,"send":0,"wait":71,"receive":246,"ssl":31},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"subscriberfraudinvestigation.pages.dev/favicon.ico","fqdn":"subscriberfraudinvestigation.pages.dev","domain":"subscriberfraudinvestigation.pages.dev","tld":"pages.dev"},"ip":{"addr":"172.66.47.46","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://subscriberfraudinvestigation.pages.dev/","date":"2026-03-24T20:46:34.567Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"subscriberfraudinvestigation.pages.dev","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Sun, 15 Mar 2026 01:32:43 GMT","end":"Sat, 13 Jun 2026 02:30:19 GMT"},"fingerprint":{"sha1":"60:8E:38:33:B1:00:46:66:4A:CD:78:42:A0:BA:5F:6B:24:E5:E4:72","sha256":"BF:FA:D1:5A:B7:F4:35:70:0B:49:A8:30:10:BD:BB:2F:43:A7:1B:2A:95:66:14:F4:E4:A8:F0:38:32:79:E8:C8"}}},"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: subscriberfraudinvestigation.pages.dev\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://subscriberfraudinvestigation.pages.dev/\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Tue, 24 Mar 2026 20:46:34 GMT\r\ncontent-type: text/html; charset=utf-8\r\naccess-control-allow-origin: *\r\ncache-control: public, max-age=0, must-revalidate\r\npriority: u=6,i=?0\r\nreferrer-policy: strict-origin-when-cross-origin\r\nx-content-type-options: nosniff\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=o%2Fp351ixoeiIxSaHTU8NbS1LL5i1oVAiHauCMSTcn8ATqwgMOrPrzCWB9hWI%2BfdaoNsF4wmPTihjPEdoXGeZeU4%2Bi9hPpV6XfYciYL8RPccB3%2BhwT1NFkNjTSyL7B2%2F%2FszOwXZWE\"}]}\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\netag: W/\"6b59f2e9e8a078019d9370a8383bfd68\"\r\ncontent-encoding: br\r\nserver: cloudflare\r\ncf-ray: 9e1886aa0c5c5a0f-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfExtPri\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":30635,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text, with very long lines (1484), with CRLF line terminators","md5":"38cdf22684a32dfc05e338c25a491dc3","sha1":"afe644764adff6ba46d9211fbe4680bf08faed73","sha256":"1b734c7876149b45563123bd6fb798ba0eb99619145d1f93cc1050de5fc978d0","sha512":"1c454e8c23e56a7ab9ca44dd7fbfee56c75507d6ab1c5979e160a941ee8b369b103f32dafcdb21fb24d32be8da440a13dcc0f8072e29bddb4fe42dfb1d32cc70","ssdeep":"384:2S2vVTSJQ1z6qfjvjYU78Xx/DvTCYH96jN41:2dFSglfjvnm/Dv596jC1","tlshash":"50d2b626a69110274173a3b56fe34709faa4a047964346193bed83864ff3838cd63f8d","first_seen":"2026-03-24T20:46:58.353624Z","last_seen":"2026-03-24T20:46:58.353624Z","times_seen":1,"resource_available":true,"data":null}},"time_used":40,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":37,"receive":3,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}