Avast WEBforum
Other => Viruses and worms => Topic started by: Yanto.Chiang on August 15, 2013, 08:30:51 PM
-
Dear All,
This early morning when i would like to login into my webmail on Yahoo Mail, then accidentally i make a miss typing for yahoo mail address and redirect to : hxxps://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us
After that Avast warn me that this link is phising site and according to virustotal there are 2 URL Scanner detected as phising site :
hxxps://www.virustotal.com/en/url/afddb2e32008c14884fc95131079e9c0b6339cb81ad1bf22c78ffea427f27c03/analysis/
Is that true that above yahoo login page is phising site?
-
Maybe you landed on a fake Yahoo Site which is hosted by criminals. :D
-
It is actually reported as phishingURL on Phishtank.
I cannot say if the site is really malicious cause the original site looks exactly like this site.
We have to wait for an Website Analyst.
-
Confirned here: http://support.clean-mx.de/clean-mx/phishing.php?id=1257489 but given now as dead!
Came from torrent shares!
See potentially suspicious: http://quttera.com/detailed_report/login.yahoo.com
s.yimg dot com/rq/darla/2-4-4/js/darla-secure-pre-min.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method unescape <code> __tmpvar753393073 = unescape; <code/>
Blacklisted by Phishtank -See ODS alerts here: https://urlquery.net/report.php?id=208844 -> ssp_ssl: Invalid Client HELLO after Server HELLO Detected
and ssp_ssl: Invalid Client HELLO after Server HELLO Detected
Check the DB connection variables in base_conf.php
= $alert_dbname : MySQL database name where the alerts are stored
= $alert_host : host where the database is stored
= $alert_port : port where the database is stored
= $alert_user : username into the database
= $alert_password : password for the username
polonus
-
I wrote just a second ago that we have to wait for you, but we can forget that now........ ;D
-
Hi Steven Winderlich,
I just was investigating, while I was at "the other side of your screen" so to say ;D.
Basically we have arrived all three now at the same conclusion,
that this here is a"valid phish detection".
Users always have to check their links before clicking them.
I always do a link pre-scan when venturing out where I have not been before.
I do not want to be clubbed over the head with malcode in a dark website alley, well on a dark site URI rather 8)
polonus
-
Just reported by our good friend Pondus, look at the differences for protocal (http versus https)
https://www.virustotal.com/en/url/6327c50fc446cce5f2c79eee81675e7d91636a240d81633fb58ad2c974c47f89/analysis/1376593662/
https://www.virustotal.com/en/url/bd7639c34ea3480a8aad704306c8870161761506ad948ac6fa037b83cff22d37/analysis/1376593737/
Good observation, Pondus -> http://login.yahoo.com/ https://login.yahoo.com/config/login_verify2?
see: http://urlquery.net/queued.php?id=37823543
Other Norwegian IP yahoo malcode here: http://urlquery.net/report.php?id=58980 -> FILEMAGIC Macromedia Flash data (compressed),
polonus
-
Interesting find from Pondus. Good Work. ;)
Here is something else to look over: http://forum.avast.com/index.php?topic=132452.new#new
-
Hi Polonus and Pondus,
How are you doing?
Long time not chat each other, anyway if sure this website is malicious one then this link would be dangerous for other users.
-
Yes thats right. Avast is protecting us against it, but maybe other Vendors dont detect it.........
-
Hi there, Yanto.Chiang,
How are you doing, tuan basar? Long time not been out here. Yes the link is dangerous and rightly blocked by the avast av solution!
The avast! Shields protection is advanced and a first line of protection because it blocks access to the malcode, so your machine won't even see this.
Stay safe and secure is the wish of,
polonus
-
Hello, I'm new here but I came into these forums because of the same concern. Here's something worth noting:
https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us
is marked as a Phishing site, while
https://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
is not reported as a Phishing site. Obviously these 2 URL's are nearly identical, so can we get this false alert cleared?
Thanks!
-
In the code this is reported by Quttera as potentially suspicious: s.yimg.com/rq/darla/2-4-4/js/darla-secure-pre-min.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method unescape <code> __tmpvar1618404809 = unescape; <code/>
see: http://jsunpack.jeek.org/?report=c2f9ddca817ad2650e0c1afe5a5a87f9a421448f (go to link with NoScript and RequestPolicy extensions active in browser and in a VM or sandbox): and an undefined here:[coe] <p> Error Code: 404 </p> <p> Error Message: ObjectNotFoundException: thrown from MetaDB.cc,209: Could not get object</p> and this is a CSS issue in the loading of the Gallery component for the Yahoo! CDN
The 404 is valid because the file does not exist.
The docs are incorrect, looks like the version number is not in the uri's:
http://yui.yahooapis.com/3.5.1/build/tabview/assets/skins/night/tabview.css
http://yui.yahooapis.com/3.5.1/build/datatable/assets/skins/night/datatable.css info Dav Glass YUI3 GitHub project
polonus
-
Also consider the security issues with these iFrames
1. <iframe([^>
Firekeeper alert: === Triggered rule ===
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://www.google.com/search?client=flock&channel=fds&q=%3Ciframe%28%5B%5E%3E+&ie=utf-8&oe=utf-8&aq=t
2. <iframe id="'+j+'" name="'+j+'" />
Firekeepr alert:
=== Triggered rule ===
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://ajax.googleapis.com/ajax/services/search/web?v=1.0&key=ABQIAAAADQJp_C6OaW6hvHOMrOnyTRSJ36dQUZSEtUNltVpyNDSTnR8ihRSMP6upCTiKY-Eecqqq5JsdgenlYg&q=%3Ciframe+id%3D%22%27%2Bj%2B%27%22+name%3D%22%27%2Bj%2B%27%22+%2F%3E+
3. <iframe(.*?)>
Fiirekeeper alert:
=== Triggered rule ===
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://search.twitter.com/search.json?q=%3Ciframe%28.*%3F%29%3E+&rpp=5
polonus
-
Checked here: Website Phishing Check
This program tests a website or web pages for phishing.
Result : https://login.yahoo.com/config/login_verify2?&.src=ym&.intl=us is not listed as a phishing site
(This application uses APIs from phishtank.com)
If you think there is an error above, please contact the OpenDNS database where this is listed.
pol
-
I accidentally added it to the trust domain list when getting the popup. I know there is no way to remove it currently.
any suggestions?
-
I am getting warnings on the Yahoo Mail Watcher add on.
-
Under Web Shield>Settings>Exclusions should be a option to remove that site from the Exclusion List.
-
Under Web Shield>Settings>Exclusions should be a option to remove that site from the Exclusion List.
Nope not there. Thanks though. I looked in every exclusion list and did not find one.