Author Topic: Site Blocked - URL:Phishing  (Read 129427 times)

0 Members and 1 Guest are viewing this topic.

Offline jedrzejevski

  • Newbie
  • *
  • Posts: 2
Re: Site Blocked - URL:Phishing
« Reply #600 on: November 18, 2020, 04:54:50 PM »
Hello,

Apparently, my site was blocked as well. If someone has installed Avast on their notebooks, then error: URL:Phishing pops up. It happens for example on: http://lakp.pl/webpage.php?id=387 or http://lakp.pl/zawodnik.php?playerId=7736.

It is a page built by myself. Can someone help me with detecting why it was blocked? I have run scan: https://retire.insecurity.today/#!/scan/da0c48038c5188f6fa437286968531e736bb98ee851a10362e4148fd295bb489 and it seems that there is 1 vulnerable library (jquery 1.11.3), can it be the cause?

Thanks,
Adrian

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 68717
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Win8.1 [x64] - Avast PremSec 21.1.2444.B#2 [UI.595] - EEK - Firefox ESR 78.6.1 [NS/uBO/PB] - TB 78.6.1
Avast-Tools: Secure Browser 88.0 - Cleanup P 20.1 - SecureLine 5.9 - Driver Updater 20.2 - CCleaner 5.76
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32902
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #602 on: November 19, 2020, 11:39:36 AM »
Witam Panie Adrianie,

I scanned one of the links you gave for recommendations (hints towards improvement e.g. security improvement),
and it came up with some 200 issues: https://webhint.io/scanner/3d28d568-67c6-4138-9d97-805c21231595
See particularly: https://webhint.io/scanner/3d28d568-67c6-4138-9d97-805c21231595#category-security

Certainly that http site has some backlying php problems at the webserver and as you saw it is not only avast to complain about that.
But it is not that the blocking is about.

See:
Quote
<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylXXXXXXXXXXXXXXXXXXXXvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_vgqARs6XTetJ9eDkEAigNmOH0gI5oDHVDcJDA1yqXazCcWPMB7YBiWBbQDicgeQD0aSb9mBSmBlUDES6V4hqeQ==><head><meta charset="utf-8"><title>lak.pl&nbsp;-&nbspThis website is for sale!&nbsp;-&nbspLak Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! -lak.pl is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, -lak.pl has it all. We hope you find what you are searching for!"><link
XXXXXX obfuscated by me for obvious reasons  (pol).

"Your site" has been sedo-parked and is earning adclicks for ABP "from the grave" (as it is for sale).
Now a rogue can't just copy someone else's "data-adblockkey" for their own site: -http://img.sedoparking.com","adblockkey":" data-

Spammy looking links: Any links with funky anchor text? Yes there are.

<a href="-http://lakp.pl/wyniki.php?roundId=642">Moore - Git Team 4-3 (3-0)<br> Adampol - Poker 6-1 (2-1)<br> Nexbet - Krupniki 4-3 (0-2)<br> Dywany - APP Energy 5-7 (2-2)<br> Bosko - Tifosi 5-3 (2-1)<br> Czarni - Politechnika 4-2 (1-1)</a>
<a style="text-decoration: none !important; color: #302c7f;" href="-klub.php?teamId=46">Poker</a> To wszystko (pol).

pozdrawiam,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
« Last Edit: November 19, 2020, 12:04:24 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jedrzejevski

  • Newbie
  • *
  • Posts: 2
Re: Site Blocked - URL:Phishing
« Reply #603 on: November 23, 2020, 05:30:56 PM »
Hi Polonus,

Thanks for your help.
However, I can't find the part of the site that you mentioned, the :
Quote
<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylXXXXXXXXXXXXXXXXXXXXvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_vgqARs6XTetJ9eDkEAigNmOH0gI5oDHVDcJDA1yqXazCcWPMB7YBiWBbQDicgeQD0aSb9mBSmBlUDES6V4hqeQ==><head><meta charset="utf-8"><title>lak.pl&nbsp;-&nbspThis website is for sale!&nbsp;-&nbspLak Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="This website is for sale! -lak.pl is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, -lak.pl has it all. We hope you find what you are searching for!"><link

My site is lakp.pl, not the lak.pl that this quote points to.
Regarding ? in the links, I know it's not a best way still to use URLs, however it is still used by many websites over the world, do you think it can be a source of the issues?
Thanks,

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32902
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #604 on: November 24, 2020, 02:43:12 PM »
Do not see the website LAKP being blocked by avast now.
Also see: https://urlscan.io/result/16c1e500-62f4-4325-995f-986b639b986e/#links
Detections normally are based on such indicators like: https://urlscan.io/result/16c1e500-62f4-4325-995f-986b639b986e/#indicators

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline aemn.hnaoe

  • Newbie
  • *
  • Posts: 1
Re: Site Blocked - URL:Phishing
« Reply #605 on: December 08, 2020, 07:57:25 PM »
Hi,
URL block was disabled.

Lukas



Hello, I'm having problems with my website (www.faceyok.com and www.damascusgrill.com ), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84421
  • No support PMs thanks
Re: Site Blocked - URL:Phishing
« Reply #606 on: December 08, 2020, 10:05:21 PM »
<snip quote>
Hello, I'm having problems with my website (wXw.faceyok.com and wXw.damascusgrill.com ), whenever I try to access it from any computer that has Avast installed it does not allow access and the attachment popup appears.


Please 'modify' your post change the URL from www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

See https://sitecheck.sucuri.net/results/damascusgrill.com this is blacklisted by others and is considered Critical Security Risk
https://sitecheck.sucuri.net/results/faceyok.com and is a Medium Security Risk

Since both are on the same IP address both are likely to be tarred with the same brush.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.10.2442 (build 20.10.5824.618) UI-1.0.591/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32902
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #607 on: December 09, 2020, 12:08:19 PM »
DavidR is right, but according to Virus Total scan-results swopped detections.

It is not only avast's that detects here, also Fortinet's, see:
https://www.virustotal.com/gui/url/f7aeeef1224ff2077c2f219836fbc072a4f34a70e913bce1681aae353dc172a4/detection

And there in this case it is the other way around as VT reports the other website in the clear
https://www.virustotal.com/gui/domain/www.damascusgrill.com/relations
as McAfee blacklists can be dated. Anyway software on that site is outdated as well, see also
the security implications of this scan: https://webhint.io/scanner/34a3bd1a-ee16-481e-809d-b54668db60e6#category-security

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline seeraig

  • Newbie
  • *
  • Posts: 7
Re: Site Blocked - URL:Phishing
« Reply #608 on: December 12, 2020, 09:28:44 AM »
My site scentbox.com is also getting blocked for URL: phishing. The site has been online for over 4 years with no issues. I've also sent a request to avast through their false positive form, but haven't heard back yet. Customers cannot access the site and it's the busiest period of the year, really not fair to block legitimate sites like this. I've scanned it with the online tools, comes up clean. Can someone help me figure out how to get Avast to unblock the site or what's wrong?
« Last Edit: December 12, 2020, 09:42:25 AM by seeraig »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84421
  • No support PMs thanks
Re: Site Blocked - URL:Phishing
« Reply #609 on: December 12, 2020, 12:31:29 PM »
@ seeraig
See https://sitecheck.sucuri.net/results/scentbox.com your site is considered a medium security risk.

Also see https://webhint.io/scanner/af9cf4ee-5922-4761-8468-48163fcfdad8 there are many security points that should be considered.

Now this may not be why avast is alerting on it, but the points mentioned in the above links could leave your site vulnerable to hacking, etc.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.10.2442 (build 20.10.5824.618) UI-1.0.591/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36885
Re: Site Blocked - URL:Phishing
« Reply #610 on: December 12, 2020, 12:46:29 PM »
Quote
Can someone help me figure out how to get Avast to unblock the site or what's wrong?


Report a suspected false positive (select file or website)


Click this link >>  https://www.avast.com/false-positive-file-form.php







Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32902
  • malware fighter
Re: Site Blocked - URL:Phishing
« Reply #611 on: December 12, 2020, 05:12:03 PM »
Probably this link could be flagged:  -https://cdn.userway.org/widget.js
Besides we discovered an alert that your connection is not secure (see *)

Above links opens up to  -https://cdn.userway.org/widget.js
->  as a javascript error also a file not found:
-https://userway.org/promo/fonts/metropolis/metropolis.css?v=1579685658
= at -cdn.userway.org
IP Address   -143.204.192.15
Hostname(s)   
-server-143-204-192-15.lhr3.r.cloudfront.net
-> https://sitereport.netcraft.com/?url=server-143-204-192-15.lhr3.r.cloudfront.net
Country   United States
Organization   Amazon CloudFront

Android malcode detections on IP relations - https://www.virustotal.com/gui/ip-address/143.204.192.15/relations

But I see no cloaking, no spammy looking links, all same status codes for the website an sich.
But as our DavidR reminds us the website has various security issues,
resulting in a minus 7 score here *; see scan:
https://webcookies.org/cookies/scentbox.com/31197601?435913
Given as excessive server info proliferation, Transport Layer Security (TLS) is not enabled (as reported by SiteCheck also); X-Frame-Options header is missing; X-XSS-Protection header is missing and X-Content-Type-Options header is missing.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline seeraig

  • Newbie
  • *
  • Posts: 7
Re: Site Blocked - URL:Phishing
« Reply #612 on: December 12, 2020, 07:18:01 PM »
@ seeraig
See https://sitecheck.sucuri.net/results/scentbox.com your site is considered a medium security risk.

Also see https://webhint.io/scanner/af9cf4ee-5922-4761-8468-48163fcfdad8 there are many security points that should be considered.

Now this may not be why avast is alerting on it, but the points mentioned in the above links could leave your site vulnerable to hacking, etc.

This doesn't have to do with phishing though, and 90% of almost every website comes up as medium risk, but they're not blocked as phishing.

Offline seeraig

  • Newbie
  • *
  • Posts: 7
Re: Site Blocked - URL:Phishing
« Reply #613 on: December 12, 2020, 07:19:31 PM »
Probably this link could be flagged:  -https://cdn.userway.org/widget.js
Besides we discovered an alert that your connection is not secure (see *)

Above links opens up to  -https://cdn.userway.org/widget.js
->  as a javascript error also a file not found:
-https://userway.org/promo/fonts/metropolis/metropolis.css?v=1579685658
= at -cdn.userway.org
IP Address   -143.204.192.15
Hostname(s)   
-server-143-204-192-15.lhr3.r.cloudfront.net
-> https://sitereport.netcraft.com/?url=server-143-204-192-15.lhr3.r.cloudfront.net
Country   United States
Organization   Amazon CloudFront

Android malcode detections on IP relations - https://www.virustotal.com/gui/ip-address/143.204.192.15/relations

But I see no cloaking, no spammy looking links, all same status codes for the website an sich.
But as our DavidR reminds us the website has various security issues,
resulting in a minus 7 score here *; see scan:
https://webcookies.org/cookies/scentbox.com/31197601?435913
Given as excessive server info proliferation, Transport Layer Security (TLS) is not enabled (as reported by SiteCheck also); X-Frame-Options header is missing; X-XSS-Protection header is missing and X-Content-Type-Options header is missing.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

I removed the userway js, still getting blocked though. i've had that 3rd party script for over 6 months though without issue.

Offline seeraig

  • Newbie
  • *
  • Posts: 7
Re: Site Blocked - URL:Phishing
« Reply #614 on: December 12, 2020, 07:20:33 PM »
@ seeraig
See https://sitecheck.sucuri.net/results/scentbox.com your site is considered a medium security risk.

Also see https://webhint.io/scanner/af9cf4ee-5922-4761-8468-48163fcfdad8 there are many security points that should be considered.

Now this may not be why avast is alerting on it, but the points mentioned in the above links could leave your site vulnerable to hacking, etc.

these are separate issues, I need to know why Avast is blocking as phishing