Dangerous websites to block

[polonus]

There is a pattern here for this type of PHISHING mail spam abuse.

A WhoisGuard Protected address from Panama registered at namecheap dot com.

So mail can pretend to come from any place,
The Netherlands for instance, but it is phrased in English.

Website - coming soon - only used as a webservice for targeted survey spam (tourist information survey to be filled out etc.),
in most cases right landing in your mail junk folder, so you'd just delete it without clicking.

Registrar here: http://whois.domaintools.com/newshall.net
Former UPC - Kralovehradecky Kraj - Cernilov - Ing. Petr Sramek - Spcom Cernilov
Liberty Global Operations
-77.48.123.120 is hosted on a dedicated server  mail address: news AT newshall dot net
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.2.2
22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
25/tcp open  smtp    Exim smtpd 4.89
53/tcp open  domain  ISC BIND get lost
80/tcp open  http    nginx
| http-methods:
|_  Potentially risky methods: TRACE

pol

[Christophe2]

Hi,

The bug is still here.

Best Regards

Chris

[HonzaZ]

I am aware of that. I have found a couple of obstacles on the way, so it will take longer than I thought. I will keep you guys updated.

[HonzaZ]

Woohoo!
The new version of our backend with the fix has just been released and I can confirm that facepirater[.]com is getting a red exclamation mark instead of a green tick.

[Christophe2]

Hi,

Please see dangerous URL that should be added in your database urgently, they are all phishing websites:
Thanks

Best Regards

[polonus]

Hi Christophe2,

Merci bien, thank you very much for the heads-up,

polonus

[Christophe2]

Hi,

You are welcome, when will these be added to the database please?

Thanks

Best Regards

[polonus]

Hi Christophe2,

Your question is when these will be added tot the avast database?
That is up to those responsible for the avast data base,so  one of the avast team members to do this.
We are just volunteers here with relative knowledge, but we cannot add nor block, just report.
For (un)blocking they are mostly known to react quickly 

I checked the at: https://phishcheck.me/submit/  to see whether I could get a "{"is_success": true, "sid": 103190}" as for  -
 facepirater.com & "{"is_success": true, "sid": 103193}" for -theft4me.is etc.

So there is real PHISHING luring behind these URLs. Example - -
 facepirater.com
See: https://www.virustotal.com/#/url/9ea414b973c3310d3fbad11ab95db785272dfb5da5a1822adb3c5421626368c0/details
Phishing through embedded youtube link. Dr.Web   gives it as a "not recommended site".

See for instance why this website is dangerous: https://phishcheck.me/103297/details
PhishCheck thinks this URL is likely a phish.

Also see: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Z2dnZ2dnZ2dnZ2dnZ2dnaGdqZ2poZ3l5eXl5LjAwMHd7Ymhdc3R8cHAuXl1tYF5ofHN7XzIwMThgc3tedX17LV1ubFtuey1eaHxzey5CfG5rYHNbZ24tXW5gc3tedX17YFQuR117YF1ubFtuey0jfHR8Lmh0bWw%3D~enc

Googele analytics & stats.doubleclick dot net abuse, see: https://webcookies.org/cookies/ggggggggggggggghgjgjhgyyyyy.000webhostapp.com/19355592

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[polonus]

The following scan results aren't that outspoken: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=c1teeltuey5eXW0%3D~enc    well there is

320:  < no- sc​ript > < p> < img alt="Clicky" width="1" height="1" src=hxxp://in.getclicky.com/101044534ns.gif" /> < /p> < /no- sc​ript >

No malware as such: https://www.virustotal.com/#/url/b0d83f92342befc2ef7a70bdcab23406f18f9e226e1ad9f44b1cf1d0dea73556/detection
Consider: https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Freport-uri.cloudflare.com%2Fcdn-cgi%2Fbeacon%2Fexpect-ct
and on that IP: https://www.virustotal.com/#/ip-address/104.19.199.151  (spreading malware this August).

various errors

   -static.getclicky.com/js
     info: [img] -in.getclicky.com/101044534ns.gif
     info: [decodingLevel=0] found JavaScript
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html>
          error: line:3: ..............^

(script) -siczine.com/content/hbox/js/fb-personal.js
     status: (referer=-siczine.com/)saved 23243 bytes b379d9761148c8230db5476a76886f3576ba21c6
     info: [javascript variable] URL=localhost:51070/api/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable $
     error: undefined function $
     suspicious: maxruntime exceeded 10 seconds

-siczine.com/content/hbox/js/jquery.loadTemplate.js
     status: (referer=-siczine.com/)saved 19034 bytes 502c41395ed063a9abcd44b4a912425bd134d7fe
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable $.fn
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var $.fn = 1;
          error: line:1: ....^
     file: 502c41395ed063a9abcd44b4a912425bd134d7fe: 19034 bytes

(script) siczine.com/scripts/spectragram.min.js
     status: (referer=-siczine.com/)saved 2973 bytes 6af5bb8c89ac5bb8c647f6af983b370bb34784dd
     info: [img] -siczine.com/scripts/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable jQuery.fn
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var jQuery.fn = 1;
          error: line:1: ....^
     file: 6af5bb8c89ac5bb8c647f6af983b370bb34784dd: 2973 bytes

2 vulnerable jQuery libraries found: https://retire.insecurity.today/#!/scan/0da7a124ea8da3e2d5d5f9cd18a1f3c6e64222d4057885d9481d192c40b38cae

polonus (volunteer website security analyst and website-error-hunter)

[Christophe2]

thanks a lot!

[Pondus]

Please see dangerous URL that should be added in your database urgently, they are all phishing websites:

How to report FAQ  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[polonus]

Hi Pondus, my good avast forum friend,

Thank you, Pondus for pointing at that link. Also PM-ed about the above interesting contribution by Christophe2's.
Checked them domains all and they deserve attention (well not in a positive way that is  )

Autumn coming, saw some real big mushrooms to-day. How's that in Norway?
Keep safe and secure both online and offline,

polonus

[polonus]

Seems they have been flagged in Avast Secure Browser,

polonus