URL:MAL and MAL2 on Capital One 360 Banking site

[REDACTED]

This is the main logon page for Capital One 360 (formerly ING Direct):

https://secure.capitalone360.com/myaccount/banking/login.vm

It has worked fine for years, but today Avast blocked it citing URL:Mal or URL:Mal2, which I understand to be a blacklisted URL. I checked VirusTotal and ZULU URL Risk Analyzer and only ZULU had anything to say. Specifically "suspicious FQDN string" and "Netblock size risk". I'm pretty good, but not good enough to determine the actual risk posed by those two anomalies.

Malwarebytes and Avast's own scan show my PC to be clean. Since this is supposedly a blacklisted URL I wouldn't necessarily expect to find anything on my machine anyway.

Is there a way to determine how/why secure.capitalone360.com has been blacklisted?

Using Firefox 51.0.1 by the way.

[Eddy]

It is on the Clean MX blacklist
https://www.virustotal.com/en/url/310b16438b246376fe0e68404f19008ab4c36f4983987b15b9ed39480fd1fd18/analysis/

Weak signature (really bad practise for a bank) :
https://www.ssllabs.com/ssltest/analyze.html?d=secure.capitalone360.com

[polonus]

Additional info on SSL: -secure.capitalone360.com
Warnings
RSA remove cross certificates
The certificate chain contains a cross root (primary intermediate) certificate that should be removed.

F-B-F-X-status: https://observatory.mozilla.org/analyze.html?host=secure.capitalone360.com

Error: Subdomain
`-secure.capitalone360.com` is a subdomain. Please preload `-capitalone360.com` instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)
Error: No HSTS header
Response error: No HSTS header is present on the response.
Error: Too many redirects
There are more than 3 redirects starting from `-https://secure.capitalone360.com`.
Warning: Unavailable over HTTP
The site appears to be unavailable over plain HTTP (-http://secure.capitalone360.com). This can prevent users without a freshly updated modern browser from connecting to the site when they type/follow a URL with the http:// scheme (or with an unspecified scheme). However, this is okay if the site does not wish to support those users.

polonus (volunteer website security analyst and website error-hunter)

[REDACTED]

Wow, thanks for the fast response. I guess all I can do at this point is a) try to find some useful e-mail address at capone to let them know and b) bypass the protection so I can actually do my banking. It's an online-only bank so I don't have much choice.

Some questions:

It is on the Clean MX blacklist
https://www.virustotal.com/en/url/310b16438b246376fe0e68404f19008ab4c36f4983987b15b9ed39480fd1fd18/analysis/

That report is for https://secure.capitalone360.com/AdWizard/invoke/adwizard.gif. If this specific tracking gif is blacklisted, does that roll up to the entire domain? Clearly Capital One - whatever its flaws - is not a phishing operation. But Clean MX found whatever it found which is fine. If they're essentially blacklisting all of secure.capitalone.com, though, can that be corrected? Is it just a matter of Cap One's admins getting enough complaints that they finally fix their stuff?

I expect that the above blacklist is the reason for my Avast notice.

Weak signature (really bad practise for a bank) : https://www.ssllabs.com/ssltest/analyze.html?d=secure.capitalone360.com
F-B-F-X-status: https://observatory.mozilla.org/analyze.html?host=secure.capitalone360.com

And these probably point to why Firefox and Chrome complain.

[polonus]

There are scan errors on that site and probably also adwizard invoke is being flagged as adware or PUP (pop-up adware).

The reason for the blog and what malware code exactly was flagged we should hear from an Avast Team Member
as they are the only ones that can block/unblock. We are just volunteers with relevant info.

Note! The scan has detected URL(s) from your site and/or IP in Phishing DBs -
This link (invalid) Flagged URL(s)? will open a utility that will list out any URL(s) from your domain that are listed in Phishing DBs and tell you if Google is currently flagging the URL.

from Redleg's filescanner alerts.

polonus