Dangerous websites to block

[Christophe2]

hackingloops*com
wifipasser*com

These urls are all scam and dangerous, some are redirecting to offers with porn games!

Please update your database urgently!

Thanks

Chris

[Asyn]

-> https://support.avast.com/article/258/ (Reporting Malware Samples)

[Christophe2]

Hi,

I did but not answer and the websites are still not blocked!

It's urgent!

Thanks

Chris

[HonzaZ]

I have blocked most of the URLs now.
Just to point a couple of things out:
- we do not normally reply to malware submissions, so the "no answer" status is perfectly normal;
- some of the URLs are not scammy in any way and therefore there is no reason for them to be blocked;
- some of the URLs are at least 2 years old (so there is little urgency);
- some of the URLs have been blocked for a couple of years already.
H.

[Christophe2]

Hi,


Thanks

Chris

[polonus]

Hi Christophe2,

When we look for instance at facepirater*com, we see that the origin of the website has been hidden through PrivacyGuardian dot org.
Re: https://www.scamadviser.com/check-website/facepirater.com

Moreover full of errors and alerts here: https://privacyscore.org/site/94025/

Cloudflare abuse and considerable risk here: https://toolbar.netcraft.com/site_report?url=dc-ec1241b79c0a.facepirater.com
Hosted from Bulgaria through -blue.warez-host.com  with ethical problems for warez and phishing involved: https://community.homeaway.com/thread/6557

Also consider: https://urlscan.io/domain/facepirater.com  Nothing hosted on and nothing talking to this domain.
151 PHISHING alerts for IP: https://checkphish.ai/ip/104.24.120.59  (plain request cloudflare-nginx abuse).

polonus (volunteer website security analyst and website error-hunter)

[Christophe2]

Hi,

Thanks for your reply.

This website phish credit card information with a fake credit card form.

It should be blocked urgently!

Thanks

Best Regards

Chris

[polonus]

Thank you for the heads-up on these "hidden location" domains, Christophe2,
because that "" is the common denominator here,
and domains that have something to hide are suspicious by our standards,
and also cannot be trusted as a rule of thumb.

For just another website (from the country where I reside in, from Roosendaal in the Netherlands),
one domain which you provided for us to look into:
https://www.scamadviser.com/check-website/wifipasser.com

The website location is being hidden by Panamanian Whois Guard Protected Ltd.
Deemed to be popular but with a very low trust rating ('naturellement revenant'  )

CMS issues and misconfiguration:

Warning  Directory Indexing Enabled

In the test we attempted to list the directory contents of the uploads
and plugins folders to determine if Directory Indexing is enabled.

This is an information leakage vulnerability that can reveal sensitive information
regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Various issues: https://privacyscore.org/site/94080/

Several jQuery libraries to be retired: https://privacyscore.org/site/94080/

Also consider: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=wifipasser.com&ref_sel=GSP2&ua_sel=ff&fs=1

7 to flag here: https://www.virustotal.com/#/url/d5585ea54c471ad8271301d960dc2727dfdd1a2e7942a532a9ebce5e1f426699/detection

Quite some PHISHING going on on IP: https://checkphish.ai/ip/185.66.141.146   -> http://whois.domaintools.com/185.66.141.146

PHISHING confirmed here: https://urlquery.net/report/24905d3e-5882-4948-a1b1-0059ae947425

Bien à vous,

polonus (volunteer website security analyst and website error-hunter)

[Christophe2]

Hi,

Thanks for your reply.

Did you blocked all the websites url I mentionned before?

Thanks

Best Regards

Chris

[HonzaZ]

I have blocked most of the URLs now.

[Christophe2]

it is a phishing website that ask credit card information with a fake paymenr form!!!

[Michael (alan1998)]

Hi Chris,

I've viewed the website facepirater*com. They're not asking for payment anywhere that I've seen.

The most questionable thing I've seen is of course it's a hacking website for FB. It won't actually hack anything. They're asking you to call a phone number, which won't do anything. (Except maybe charge you high fees? *Don't call the phone number)

I don't know if you've actually called this number and found out what they want - but it's sufficed to say that people looking to "hack" a Facebook account are probably looking for a one-step click fix. Not a multi-step hack that involves calling people.

I can think of far easier ways to gain someones credentials. (Programs exist to do this. Chrome has historically saved "auto-fill" passwords in plain text. I'm not sure they still do, but I wouldn't be surprised.)

So, it's not a phishing website, but it's not something that Avast! should be allowing either. (Given it's questionable nature)

[HonzaZ]

The detection for facepirater is live since 23.09. 2017, 17:19 CET, here is what happens when I try to open it on my computer:



(Please note that "Phishing" doesn't mean that it steals your credit card info, but we only have two "visible/outside" types - URL:Mal (malicious) and URL:Phishing (phishing) - and this one tends to be more of the second type.)

Where do you see it as clean?

[Christophe2]

Thanks

Chris

[HonzaZ]

I see. So the AOS (Avast Online Security, the browser plugin) doesn't recognize URLs marked as URL:Phishing. This is certainly a bug, and I think I know how to fix it. I even have two solutions, one is fast and one is good (as it always happens to be). I will let you guys know when I decide which solution to implement and what the ETA is.
Thanks for reporting the bug!