URL: Card Stealer

[ChuckAZUSA]

New here, so pardon me if i violate any of the norms.  When I open www.apptivo.com from multiple browsers, Avast warns me that it has blocked a threat from cloudfront.net (there is a long preface to that, which I'll omit for brevity's sake).  Avast says it was blocked because it is infected with URL: CardStealer.  I reported to Apptivo, who gave me what seems like nonsense, which was to clear my browser cache, then maybe that it was a false flag, but I'd feel better if i heard from other users that may have seen something similar with Apptivo.

[Pondus]

Website is down …. Why? Maybe detection was correct

https://downforeveryoneorjustme.com/apptivo.com?proto=http&www=1

No screenshot of website/could not be scanned/empty response
https://urlscan.io/result/2d0f23ba-b31c-4631-a91a-fec83d5c92ef/

[DavidR]

New here, so pardon me if i violate any of the norms.  When I open wXw.apptivo.com from multiple browsers, Avast warns me that it has blocked a threat from cloudfront.net (there is a long preface to that, which I'll omit for brevity's sake).  Avast says it was blocked because it is infected with URL: CardStealer.  I reported to Apptivo, who gave me what seems like nonsense, which was to clear my browser cache, then maybe that it was a false flag, but I'd feel better if i heard from other users that may have seen something similar with Apptivo.

Please break active links to suspect sites to avoid accidental exposure, only post the domain-name or change the www or https to wXw or hXXpc to break the link (as I have in the quoted text).

This is a strange one, see the attached image of the alert window with the Detail option selected.

Strange in that is a redirect to a subdomain of cloudfront.net and the favicon.ico appears to be doing something that it shouldn't, e.g. not just displaying an icon.  Why is beyond me, but I'm always suspicious of the favicon.ico doing something other than display an image/icon.  This domain would appear to be looking like or portraying to be cloudflare a common

Whilst this isn't for the same sub.domain I think it is related as it appears that cloudfront.net is an Amazon Content Delivery network (CDN).
https://www.reddit.com/r/cybersecurity/comments/dsf43y/what_is_d31qbv1cthcecs_cloudfront_net/

That said as far as I'm concerned the favicon.ico should be doing nothing other than displaying a sites icon in the browser.  Anything else to me is suspect and against what the favicon.ico file should have in it.  A very long time ago this was a common means of delivering/running malware code when you opened a site.

[design_ink]

I am also new here but have encountered the same warning from Avast today when bringing up the above website.  Could someone please confirm whether it is safe to log in (given the warning says that multiple threats have apparently been blocked by Avast), or is the website currently compromised and therefore I should steer clear.  I have no idea about this sort of thing....  Thanks!

[DavidR]

I am also new here but have encountered the same warning from Avast today when bringing up the above website.  Could someone please confirm whether it is safe to log in (given the warning says that multiple threats have apparently been blocked by Avast), or is the website currently compromised and therefore I should steer clear.  I have no idea about this sort of thing....  Thanks!

I don't think anyone here who responded (Avast Users) can advise you if it is safe to log into the site if it is causing the redirect to another unknown site.

You say "the warning says that multiple threats have apparently been blocked by by avast", if you have screenshots of these alerts/threats then attach them, information is king so they can be analysed.

- Attaching Images to your post - When you Click the Reply button it opens a text window for you to post your comment (reply or post).
Click the Preview button, that shows what you have input and expands it to include 'Attachments and other options'. Click that it further expands, here you can attach images, etc. at the bottom of your post.
See my attached image, click to expand.

[design_ink]

Hi David,
Thank you for your quick reply.  Hopefully I have attached the info you asked for - the first screen shot is from the login page, the other 3 are from another random page from the Apptivo website that came up when I typed in 'Apptivo card stealer' into google.  Thought I would test another page (other than the login page) to see if it too had a threat, and as you can see, it had/has 3...!  ps I tried to upload all 4 images, but they are too large, so hopefully 2 have come through below.  Let me know if you would like me to post the other 2.

[design_ink]

Looks like I have to do them one by one...

[design_ink]

Third one...

[design_ink]

And the final one.

[mchain]

This could very well be the result of a typo.

Typosquatting:  https://en.wikipedia.org/wiki/Typosquatting

If i use the same site address in urlscan.io as posted in original poster's 1st post then I get the same result:  https://urlscan.io/result/449e12c8-a7cc-44e2-b33c-708336c3a6d7/ 

This because a non-secure connection was made to this site.  Ergo, http:// was invoked instead of https://!

http://

• https://zulu.zscaler.com/submission/5685dda4-b723-47dc-86e6-016cbaffcd89
• https://app.checkphish.ai/public/insights/1707889123049/44430c486a77ce0f4db2dd252543fd1a544a7f77f98be4ea6c9517d285d981ec
• https://www.virustotal.com/gui/url/44430c486a77ce0f4db2dd252543fd1a544a7f77f98be4ea6c9517d285d981ec
• https://urlquery.net/report/4cc50cb4-7c70-4ba7-a384-b028c58a8921

vs:

https://

• https://quttera.com/detailed_report/www.apptivo.com
• https://urlscan.io/result/c35d82a3-eec7-48cd-bc05-e7a87e61e306/
• https://zulu.zscaler.com/submission/008fd456-b749-4827-a26e-acd0de0f3a72
• https://www.virustotal.com/gui/url/47289f155579a7120a7cb050e495f4263a63b7973ca5019a863aeb11561e97c4?nocache=1
• https://app.checkphish.ai/public/insights/1707890300491/47289f155579a7120a7cb050e495f4263a63b7973ca5019a863aeb11561e97c4

Redirect may have been from https:// to http:// also.  HTTP sites are notoriously insecure as man-in-the-middle attacks can occur, whereas HTTPS sites encrypt all data between you and your client.

[design_ink]

FYI Apptivo thank me for reporting the issue initially then emailed me some hours later to say that 'our team has confirmed that the loading of cloudfront.net URLs on the site is secure.  We utilise AWS CDN for hosting our website images.'  I am waiting to hear back as to whether they mean that they believe the Avast alerts are false alerts, or whether they mean that their team have found and removed the malware.  I suspect they are suggesting that the Avast alerts are false/incorrect.  If that is the case, how do I know that is true and that the site is safe and secure to use?

[mchain]

You can report this site to Avast Labs here:  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Please report back.